This is the accessible text file for GAO report number GAO-03-174
entitled 'Technology Assessment: Using Biometrics for Border Security'
which was released on November 14, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products’ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to the Subcommittee on Legislative Branch, Committee on
Appropriations, U.S. Senate:
United States General Accounting Office:
GAO:
November 2002:
Technology Assessment:
Using Biometrics for Border Security:
Biometrics in Border Control:
GAO-03-174:
Contents:
Letter:
Technology Assessment Overview:
Purpose:
Background:
Results in Brief:
Border Control Overview:
Biometric Technologies:
Scenarios for Using Biometric Technologies for Border Security:
The Role of Biometrics in Border Security:
Chapter 1: Introduction:
The Federally Mandated Biometric Chimera System:
An Overview of This Report:
Chapter 2: Today’s U.S. Border Control Procedures:
How U.S. Passports Are Issued:
How U.S. Visas Are Issued:
Inspection at U.S. Ports of Entry:
Chapter 3: Biometric Technologies for Personal Identification:
Biometrics Defined:
How the Technologies Work:
Leading Biometric Technologies:
Emerging Biometric Technologies:
Common Applications of Biometric Technologies:
Performance Issues:
Technologies Viable for U.S. Border Control:
Biometric Technology Applied to Border Control Today:
Chapter 4: Scenarios for Border Control with Biometrics:
Watch List Check before Issuing Travel Documents:
Watch List Check before Entering the United States:
U.S. Visas with Biometrics:
U.S. Passports with Biometrics:
Implementing Multiple Scenarios:
Chapter 5: Applying Biometrics to Border Control: Challenges
and Implications:
The Performance of Biometric Technologies:
How Introducing the Technology Affects People and Procedures:
Weighing Costs and Benefits:
Effects on Privacy and the Economy:
Chapter 6: Summary:
Key Considerations in Using Biometrics for Border Control:
High-Level Analysis of Four Scenarios Using Biometrics:
The Role of Biometrics in Border Security:
Agency Comments and Our Evaluation:
External Reviewers’ Comments:
Appendix I: Our Technology Assessment Methodology:
Appendix II: Fingerprint Recognition Technology:
How the Technology Works:
The Leading Vendors:
The Cost of Devices:
Performance Issues:
User Acceptance:
The Technology’s Maturity:
Border Control Applications Piloted and Deployed:
Processing Issues:
Device Durability and Environmental Constraints:
Appendix III: Hand Geometry Technology:
How the Technology Works:
The Leading Vendors:
The Cost of Devices:
Performance Issues:
User Acceptance:
The Technology’s Maturity:
Border Control Applications Piloted and Deployed:
Device Durability and Environmental Constraints:
Appendix IV: Facial Recognition Technology:
How the Technology Works:
The Leading Vendors:
The Cost of Devices:
Performance Issues:
User Acceptance:
The Technology’s Maturity:
Border Control Applications Piloted and Deployed:
Processing Issues:
Device Durability and Environmental Constraints:
Appendix V: Iris Recognition Technology:
How the Technology Works:
The Leading Vendors:
The Cost of Devices:
Performance Issues:
User Acceptance:
The Technology’s Maturity:
Border Control Applications Piloted and Deployed:
Processing Issues:
Device Durability and Environmental Constraints:
Appendix VI: Cost Estimates for Using Biometrics for Border
Security:
Initial Cost Elements:
Recurring Cost Elements:
Assumptions:
Estimated Costs for Conducting Watch List Checks with Biometrics:
Estimated Costs for Issuing Visas with Biometrics:
Estimated Costs for Issuing Passports with Biometrics:
Appendix VII: Comments from the U.S. Department of State:
Appendix VIII: Comments from the U.S. Department of Justice:
Appendix IX: GAO Contacts and Acknowledgments:
GAO Contacts:
Acknowledgments:
Bibliography:
Tables:
Table 1: Leading Biometric Technologies:
Table 2: Number of Inspections at U.S. Ports of Entry, Fiscal Year
2001:
Table 3: Estimated Costs for Implementing Border Security Scenarios:
Table 4: Number of Inspections at U.S. Ports of Entry, Fiscal Year
2001:
Table 5: Leading Biometric Technologies and Their Template Size:
Table 6: Emerging Biometric Technologies and Their Maturity:
Table 7: Independent Biometric Test Results, 1991-2002:
Table 8: Four Viable Biometric Technologies Compared:
Table 9: The Enrollment Size of Seven Operational Biometric Systems:
Table 10: Estimated Number of Biometric Matching Transactions in Four
Border Control Scenarios:
Table 11: Security Risks and Mitigating Techniques:
Table 12: The Number and Type of Fraudulent Documents INS Inspectors
Intercepted, Fiscal Year 2001:
Table 13: Estimated Costs for Watch List Checks:
Table 14: Estimated Costs for Issuing Visas with Biometrics:
Table 15: Estimated Consular Costs for Issuing Visas with Biometrics:
Table 16: Estimated Costs for Issuing Passports with Biometrics:
Table 17: Cost Estimate Uncertainty Analysis for Four Scenarios:
Table 18: Summary of Biometric Systems Privacy Guidelines:
Table 19: Estimated Costs for Implementing Border Security Scenarios:
Table 20: Leading Vendors of Fingerprint Recognition Biometrics:
Table 21: Summary of Results from the Fingerprint Verification
Competition 2000:
Table 22: Summary of Results from the Fingerprint Verification
Competition 2002:
Table 23: INSís IDENT Fingerprint Benchmark Test Results, 1998:
Table 24: Identix Airport Facial Biometric Pilot Results:
Table 25: Facial Recognition Product Usability Test:
Table 26: Estimated Costs for Watch List Checks before Issuing Travel
Documents and before Entering the United States:
Table 27: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint Recognition:
Table 28: Estimated Costs for Issuing Visas with Biometrics Using Iris
Recognition:
Table 29: Estimated Costs for Issuing Visas with Biometrics Using
Facial Recognition:
Table 30: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint and Iris Recognition:
Table 31: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint and Facial Recognition:
Table 32: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint, Iris, and Facial Recognition:
Table 33: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint Recognition:
Table 34: Estimated Costs for Issuing Passports with Biometrics Using
Iris Recognition:
Table 35: Estimated Costs for Issuing Passports with Biometrics Using
Facial Recognition:
Table 36: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint and Iris Recognition:
Table 37: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint and Facial Recognition:
Table 38: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint, Iris, and Facial Recognition:
Figures:
Figure 1: The U.S. Passport Application Process:
Figure 2: A U.S. Passport Cover:
Figure 3: A U.S. Passport’s Biography Page:
Figure 4: The U.S. Visa Application Process:
Figure 5: A U.S. Visa Foil:
Figure 6: The U.S. Port of Entry Inspection Process:
Figure 7: Motor Vehicles Waiting for Inspection at the Paso del Norte
Port of Entry, El Paso, Texas:
Figure 8: A Driver Being Questioned at a Port of Entry:
Figure 9: The Biometric Verification Process:
Figure 10: The Biometric Identification Process:
Figure 11: The General Relationship between FMR and FNMR:
Figure 12: Standards for Biometric Systems:
Figure 13: The Front of a Laser Visa:
Figure 14: The Back of a Laser Visa:
Figure 15: Issuing U.S. Visas by a Watch List Check Process:
Figure 16: Issuing U.S. Passports by a Watch List Check Process:
Figure 17: System Architecture for a Biometric Watch List Check before
Issuing Travel Documents:
Figure 18: Entering the United States by a Watch List Check Process:
Figure 19: System Architecture for a Biometric Watch List Check before
Entering the Country:
Figure 20: Issuing U.S. Visas with Biometrics:
Figure 21: Port of Entry Visa Inspection with Biometrics:
Figure 22: System Architecture for Issuing Visas with Biometrics:
Figure 23: Issuing U.S. Passports with Biometrics:
Figure 24: Port of Entry Passport Inspection with Biometrics:
Figure 25: System Architecture for Issuing Passports with Biometrics:
Figure 26: Using Fingerprint Biometrics for Physical Access:
Figure 27: Using Fingerprint Biometrics for Logical Access:
Figure 28: A Fingerprint Biometric Device for Personal Identification:
Figure 29: Common Fingerprint Features:
Figure 30: Established Fingerprint Types.
Figure 31: An IDENT Workstation:
Figure 32: Fingers Guided by Pegs in a Biometric Hand Geometry
Measurement:
Figure 33: A Traveler Using an INSPASS Hand Geometry Device:
Figure 34: A Traveler Using Ben Gurion Airport’s Biometric Hand
Geometry System:
Figure 35: A Typical Hand Geometry Recognition Device:
Figure 36: A Hand Geometry Recognition Device That Is Enclosed:
Figure 37: Local Feature Analysis: A Topographical Grid of Facial
Regions:
Figure 38: Two-Dimensional, Gray-Scale Images of an Eigenface Template:
Figure 39: CCTV Surveillance Equipment:
Figure 40: Facial Recognition Distance Identification:
Figure 41: Facial Recognition Distance Verification:
Figure 42: Facial Recognition Expression Identification:
Figure 43: Facial Recognition Expression Verification:
Figure 44: Facial Recognition Media Identification: Digital to
35 mm:
Figure 45: Facial Recognition Media Verification: Digital to 35 mm:
Figure 46: Facial Recognition Pose Identification:
Figure 47: Facial Recognition Temporal Identification:
Figure 48: Facial Recognition Temporal Verification:
Figure 49: The Iris and Other Parts of the Eye:
Figure 50: Iris Recognition Physical Access Control System:
Figure 51: Iris Recognition System with Desktop Camera:
Figure 52: Mapping the Eye for Iris Recognition Systems:
Figure 53: Iris Recognition Device for Border Control at London’s
Heathrow Airport:
Figure 54: Border Control Lane with Iris Recognition Device at London’s
Heathrow Airport:
Abbreviations:
AAMVA: American Association for Motor Vehicle Administration:
AFIS: automated fingerprint identification system:
ANSI: American National Standards Institute
API: application programming interface
APIS: Advance Passenger Information System
ATM: automated teller machine
BAPI: biometric application programming interface
CBEFF: Common Biometric Exchange File Format
CCD: Consular Consolidated Database
CCTV: closed-circuit television
CLASS: Consular Lookout and Support System
DOD: Department of Defense
EER: equal error rate
EPPS: Expedited Passenger Processing System
ETT: enrollment timed test
FAA: Federal Aviation Administration
FBI: Federal Bureau of Investigation
FERET: Face Recognition Technology
FMR: false match rate
FNMR: false nonmatch rate
FRVT: 2000Facial Recognition Vendor Test 2000
FRVT: 2002Facial Recognition Vendor Test 2002
FTE: failure to enroll
FTER: failure to enroll rate
FVC 2000: Fingerprint Verification Competition 2000
FVC 2002: Fingerprint Verification Competition 2002
IAFIS: Integrated Automated Fingerprint Identification System:
IAFS: Immigration and Asylum Fingerprint System
IBG: International Biometric Group
IBIA: International Biometric Industry Association
IBIS: Interagency Border Inspection System
ICAO: International Civil Aviation Organization
IDENT: Automated Biometric Fingerprint Identification System
INCITS: InterNational Committee for Information Technology
Standards
INS: Immigration and Naturalization Service
INSPASSINS: Passenger Accelerated Service System
IRS: Internal Revenue Service
JPEG: Joint Photographic Experts Group
LFA: local feature analysis
NAFTA: North American Free Trade Agreement
NAS: National Academy of Sciences
NIST: National Institute of Standards and Technology
NPL: National Physical Laboratory
NSA: National Security Agency
OIDTT: old image database timed test
PALS: Portable Automated Lookout System
PFM: Passport Files Miniaturization
PIN: personal identification number
PRISM: Passport Records Imaging System Management:
RSI: Recognition Systems Inc.
SENTRI: Secure Electronic Network for Travelers Rapid Inspection:
TECS: Treasury Enforcement Communications System
WSQ: wavelet scalar quantization:
United States General Accounting Office:
Washington, DC 20548:
November 15, 2002:
The Honorable Richard J. Durbin
Chairman
The Honorable Robert F. Bennett
Ranking Minority Member
Subcommittee on Legislative Branch
Committee on Appropriations
United States Senate:
As directed in the Fiscal Year 2002 Legislative Branch Appropriations
Conference Report (House Report 107-259) and subsequent support letters
from interested Members of the Congress, we conducted a pilot program
in technology assessment that examined the use of biometric
technologies for border control. This report discusses the current
maturity of several biometric technologies and possible implementation
of these technologies in current border control processes. Policy
implications and key considerations for the use of biometric
technologies are also discussed.
We are sending copies of this report to the Attorney General, the
Secretary of State, and interested congressional committees. We will
provide copies to others on request. In addition, the report will be
available at no charge on the GAO Web site at http://www.gao.gov.
If you have questions concerning this report, you may contact me on
(202) 512-2700 (kingsburyn@gao.gov) or Naba Barkakati, Senior Level
Technologist, on (202) 512-4499 (barkakatin@gao.gov). Major
contributors to this report are listed in appendix IX.
Nancy R. Kingsbury
Managing Director, Applied Research and Methods:
Signed by Nancy R. Kingsbury
[End of section]
Technology Assessment Overview:
Purpose:
One facet of the homeland security strategy focuses on border security-
-preventing the illegal entry of people and goods into the United
States without impeding their legitimate flow. Security concerns need
to be balanced with practical cost and operational considerations as
well as political and economic interests. A risk-based approach can
help identify and address security concerns. This is a challenging
mission because:
* the nation shares a 5,525 mile border with Canada and a 1,989 mile
border with Mexico and has a shoreline of about 95,000 miles,
* there are almost 400 official entry points along these borders, and:
* there were more than 500 million border crossings into the United
States last year, two-thirds by travelers who were not citizens.
Part of the border security mission is controlling the passage of
travelers through these official entry points into the United States.
Biometric technologies, using one or more of a person’s distinct
physiological or behavioral characteristics, have been suggested as a
way to help automate the identification of travelers to the United
States at these ports of entry.
As directed in the Fiscal Year 2002 Legislative Branch Appropriations
Conference Report (House Report 107-259) and subsequent support letters
from interested Members of the Congress, this technology assessment
focuses on four key questions:
1. What biometric technologies are currently deployed, currently
available but not yet deployed, or in development that could be
deployed in the foreseeable future for use in securing the nation’s
borders?
2. How effective are these technologies now or likely to be in the
future in helping provide security to the nation’s borders?
3. What are the economic and effectiveness trade-offs of implementing
these technologies?
4. What are the implications of using biometric technologies for
personal security and the preservation of individual liberties?
To answer these questions, we convened, with the assistance of the
National Academy of Sciences, two meetings on biometrics and border
control issues that included manufacturers of facial, fingerprint, and
iris recognition and hand geometry technologies, as well as informed
representatives from academia, government, and industry groups; privacy
and civil liberty advocates; and other stakeholders such as
representatives of border communities and trade organizations. We also
interviewed certain users of biometric technologies, including the
Federal Bureau of Investigation, Immigration and Naturalization Service
(INS), National Security Agency, National Institute of Standards and
Technology, the Department of State, and the Canada Customs and Revenue
Agency. We reviewed test documentation to understand the performance of
biometric technologies and visited a number of ports of entry where
these technologies may be used. We interviewed manufacturers of
biometric technologies and reviewed their publications to obtain
descriptive information about their equipment. We interviewed officials
from biometric industry organizations, including the Biometric
Consortium and the Biometric Foundation. We also interviewed the
International Biometric Group (IBG). We postulated four scenarios for
using biometric technologies in border security and created cost models
to estimate the rough order of magnitude costs of implementing
biometric technologies. We provided our assessment report to the
Department of Justice and the Department of State for their review. We
also had the draft report reviewed by a number of external experts.
Our report starts with a description of the current border control
procedures for admitting people into the United States--issuing visas
to citizens of other nations and passports to U.S. citizens and
inspecting travelers at the ports of entry. Next, the report describes
how biometric technologies work, including the different types of
biometric technologies, their levels of maturity, and their operating
and performance characteristics. We present four possible scenarios in
which biometrics might be applied to current U.S. border control
procedures. For each scenario, we analyze some of the costs, benefits,
and risks associated with implementation. Finally, the report sums up
certain policy implications and challenges to be faced if a biometric
system is to be designed and deployed for border security. A number of
appendixes provide details on the major biometric technologies.
Background:
The United States essentially relies on a two-step approach to prevent
inadmissible people from entering the country. The Bureau of Consular
Affairs in the State Department is responsible for issuing
international travel documents, such as passports in the United States
and visas in other countries, and INS in the Department of Justice is
responsible for inspecting travelers at the ports of entry.
The term biometrics covers a wide range of technologies that can be
used to verify a person’s identity by measuring and analyzing his or
her characteristics. Identifying a person’s physiological
characteristics is based on data derived from measuring a part of the
body directly. Technologies have been developed to measure people’s
fingers, hands, faces, and eye retinas and irises. Identifying a
person’s behavioral characteristics is based on data derived from an
individual’s actions, such as how he or she talks, types, or signs his
or her name. Biometric systems are essentially pattern recognition
systems. They use electronic or optical sensors such as cameras and
scanning devices to capture images, recordings, or measurements of a
person’s characteristics and computer hardware and software to extract,
encode, store, and compare these characteristics.
Using biometrics as identifiers for border security purposes appears to
be appealing because they can help tightly bind a traveler to his or
her identity by using physiological or behavioral characteristics.
Unlike other identification methods, such as identification cards or
passwords, biometrics are less easily lost, stolen, or guessed.
Biometrics have been implemented to a limited degree in U.S. border
control systems. For example, since 1993, the INS Passenger Accelerated
Service System (INSPASS) has allowed for automated inspections of more
than 35,000 frequent fliers at nine airports. The Congress has enacted
laws in the past 6 years that require a more extensive use of
biometrics in border control systems. These laws require that by the
end of 2004, all ports of entry are to be able to perform biometric
comparison and authentication of all U.S. visas and other travel and
entry documents and that all systems of the State Department, INS, and
federal law enforcement and intelligence agencies that contain
information about aliens are to be interoperable.
Results in Brief:
Biometric technologies are available today and are being used for a
variety of applications such as access control and criminal
identification and surveillance. We considered a number of leading and
emerging biometric technologies that could potentially be used for
securing the nation’s borders. The seven leading biometric technologies
include facial recognition, fingerprint recognition, hand geometry,
iris recognition, retina recognition, signature recognition, and
speaker recognition (see table 1). Of these, fingerprint recognition,
facial recognition, iris recognition, and hand geometry appeared to be
suitable for border security because all have been used in border
control pilots and applications. However, hand geometry is not highly
distinctive and cannot reliably pick out an individual from among many.
Consequently, hand geometry is not suitable if there is a need to
search the biometrics database to determine if a person has previously
enrolled in the database or is in a watch list. However, hand geometry
is viable for verifying claimed identity when another biometric
technology is used for the identification check during enrollment. We
also looked at emerging biometric technologies, such as ear shape
recognition and odor sensing, and found that they are in various stages
of development and have not yet been used in border control
applications. Our assessment is based on a snapshot of biometric
technologies as they existed in early 2002.
Table 1: Leading Biometric Technologies:
Technology: Facial recognition; How it works: Captures and compares
facial patterns; Suitable for border control: Yes.
Technology: Fingerprint recognition; How it works: Captures and
compares fingertip patterns; Suitable for border control: Yes.
Technology: Hand geometry; How it works: Measures and compares
dimensions of hand and fingers; Suitable for border control: Yes
(verification only).
Technology: Iris recognition; How it works: Captures and compares iris
patterns; Suitable for border control: Yes.
Technology: Retina recognition; How it works: Captures and compares
retina patterns; Suitable for border control: No.
Technology: Signature recognition; How it works: Captures and compares
rhythm, acceleration, and pressure flow of signature; Suitable for
border control: No.
Technology: Speaker recognition; How it works: Captures and compares
cadence, pitch, and tone of vocal tract; Suitable for
border control: No.
Source: GAO analysis.
[End of table]
To evaluate the effectiveness of biometrics in border control, it is
important to recognize that the use of biometric technology would be
but one component of the decision to support systems that determine who
is allowed to enter the United States and who is not. Biometric
technology can play a role in associating a person with travel
documents such as visas and passports. When used at a border
inspection, the biometric comparison can be used to help decide whether
to admit a traveler into the United States.
When biometric technology is used in border control, the border control
processes will have to be changed not only to use the new technology
but also to compensate for its shortcomings. None of these technologies
have been used in an application as large as that required for a border
control system. Further, biometric technologies are not perfect--all
have some measured rates of erroneously matching a person or
erroneously not matching a person. The people involved, such as
travelers, inspectors, and consular personnel, will have to be trained
in how to use the new system and in the new border control processes.
Before any decision is made to implement biometrics in a border control
system, the benefits of the system must be weighed against its costs.
The purpose of any biometrics initiative is to prevent the entry of
travelers who are inadmissible to the United States. For example, using
a biometric watch list can provide an additional check to name-based
checks and can help detect travelers trying to evade detection who have
successfully established a separate name and identity. The use of
passports and visas with biometrics can help positively identify
travelers as they enter the United States and can limit the use of
fraudulent documents, including counterfeit and modified documents, and
impostors’ use of legitimate documents.
To analyze the costs of using three biometric technologies--facial,
fingerprint, and iris recognition--we define four scenarios in which
these technologies can be used to support border control operations.
Two scenarios use a biometric watch list to identify travelers who are
inadmissible to the United States (1) before issuing travel documents
or (2) before travelers enter the country. To help bind the claimed
identity of travelers to their travel documents, biometrics could be
incorporated into (1) U.S. visas or (2) U.S. passports. As defined,
these four scenarios are not mutually exclusive and could be
implemented independently or in combination. The costs of a biometric
border control system will not be trivial. For example, our rough order
of magnitude cost estimates to implement visas with biometrics are
between $1.3 billion and $2.9 billion initially and between $0.7 and
$1.5 billion annually thereafter.
Finally, important policy implications must be addressed in trade-offs
between increasing security and the impact on areas such as privacy,
economy, traveler convenience, and international relations. Civil
liberties groups and privacy experts have expressed concern about the
adequacy of protections under current law for biometric data and an
absence of clear criteria governing data sharing. Requiring biometric-
enabled visas could potentially affect the travel and tourism industry
adversely. Increased inspection times because of biometric
identification checks could result in longer waiting times, especially
at land crossings, causing local merchants on both sides of the border
to lose sales. International relations could be affected as other
countries reciprocate when the United States asks visitors from those
countries to provide biometric identifiers when they apply for visas.
Whether the financial and nonfinancial costs are warranted by the
benefits of greater security is a policy issue that should be
determined before biometric technologies are implemented in a border
control system. This report provides useful information that can help
serve as the basis for these decisions. As our report describes,
biometric technology is not a panacea for the border security problem.
It is only one component of the decision support systems that determine
who is allowed to enter the United States and who is not. A risk-based
approach would be helpful in addressing the overall border security
problem and the high-level goals that can be achieved with biometric
technologies. The approach could rely on establishing what is being
protected, who the adversaries are, what the vulnerabilities are, what
the priorities are, and what mitigation strategies can be implemented.
Answering these questions should help determine the proper role of
biometric technologies in border security.
We provided a draft of this report to the Department of Justice and the
Department of State for their review. The Department of Justice
expressed some concerns, but the State Department stated that it
appreciated the thorough and balanced approach we took in our
assessment of the use of biometrics for border security. We include
State’s and Justice’s comments in appendixes VII and VIII,
respectively, and summarize them in chapter 6. State and Justice also
provided technical comments on the draft, which we incorporated as
appropriate.
We also provided a draft of this report to 16 different organizations,
representing government, industry, and academia, for their review. We
received comments and suggestions from 10 reviewers. The comments
included the correction of technical inaccuracies and the highlighting
of certain aspects of the assessment that reviewers considered
important. We have incorporated these comments, where appropriate, in
the report. We summarize these comments in chapter 6.
Border Control Overview:
The United States relies essentially on two primary procedures to
facilitate the entry of people authorized to enter the country and to
ensure that inadmissible people are prevented from entering. The State
Department’s Bureau of Consular Affairs issues international travel
documents, including passports to U.S citizens and visas to people who
are not U.S. citizens and are traveling to the United States. INS
inspects travelers entering the United States through official ports of
entry. In addition, INS’s Border Patrol is responsible for securing the
borders and apprehending travelers entering through other than official
ports of entry.
Passport Processing:
Passports are issued to U.S. citizens to permit their travel abroad and
to facilitate their entry back into the United States. U.S. citizens
can apply for passports at one of more than 4,500 passport acceptance
offices. Few of these offices are State Department offices--most are
offices in facilities such as U.S. post offices or state, county,
township, and municipal government offices. Passport acceptance agents
review application packages for completeness and complete a checklist
regarding their impressions of applicants and their applications. After
the applications are sent to the central application processing center,
they are run through a State Department computer system that checks to
see (1) whether the applicant has been identified as someone who is not
eligible to receive a passport, (2) whether the individual already has
an active passport, and (3) whether the individual has multiple
applications in process. Passport examiners review the results of these
checks and the applications and decide whether to issue passports. If
an application is approved, a passport is generated and sent to the
applicant.
Visa Processing:
With some exceptions, visitors to the United States are required to
have a visa to enter. Worldwide, travelers can apply for a visa at 210
embassies and consulates. Visa applications are entered into a State
Department computer system and are checked to determine items such as
whether an applicant has been identified as someone who is not eligible
to receive a visa, whether the applicant’s passport matches a passport
that has been reported as lost or stolen, or whether the applicant has
been refused a visa in the past. In some cases, an interview with the
visa applicant or a security advisory opinion from State headquarters
is required. In determining whether to grant the visa, the consular
officer reviews the data provided in the application and the computer
system and, if applicable, the interview and security advisory opinion.
If the application is approved, a visa foil is generated and provided
to the traveler.
Port of Entry Inspections:
All people legally entering the United States must be processed through
an air, land, or sea port of entry. As shown in table 2, about 82
percent of border crossings occurred at land ports of entry last year.
An individual entering the country through an official port of entry
first enters a process called primary inspection. Inspectors determine
whether travelers qualify for admission or additional review is
necessary. If additional review is necessary, the individual is
referred to secondary inspection, where a final decision on whether to
admit the traveler is made. During fiscal year 2001, about 1.7 percent
of the more than 500 million border crossers entering the country were
referred to secondary inspection, where 707,920 were denied admission.
Table 2: Number of Inspections at U.S. Ports of Entry, Fiscal Year
2001:
Type of port: Sea; Number of ports: 86; Number of inspections:
11,952,501.
Type of port: Air; Number of ports: 155; Number of inspections:
79,598,681.
Type of port: Land; Number of ports: 154; Number of inspections:
414,364,965.
Type of port: Total; Number of ports: 395; Number of inspections:
505,916,147.
Source: GAO analysis of INS data.
[End of table]
The processes used for primary inspection vary, depending on the mode
of travel--air, land, or sea--and the traveler’s nationality. INS uses
a combination of methods to inspect travelers, including a brief
interview with the travelers, an inspection of their travel or
identification documents, and computer checks of their names or the
license plates of their vehicles. The traveler’s nationality also
dictates the documentation requirements. For example, U.S. citizens do
not require passports unless they are returning from outside the
Western Hemisphere. In general, aliens must present their passport and
a U.S.-issued visa. Citizens of countries participating in the visa
waiver program do not require a visa to enter the United States.
Biometric Technologies:
Biometric technologies have been used in a wide array of applications,
including access control to buildings and computers, criminal
identification and surveillance, licensing and voter applications, and
fraud reduction. Biometric technologies can be used in a verification
or identification mode. Regardless of the method used, an enrollment
process is required to capture a biometric sample, extract and encode
the sample as a biometric template, and store the data in a database
for future comparisons. In verification mode (e.g., access control to a
building with an identity card), the biometric system verifies the
validity of a claimed identity, answering the question “Is this person
who she claims to be?” In identification mode (e.g., criminal
surveillance), the biometric system compares the individual’s biometric
with all stored biometric records to answer the question “Who is this
person?”:
We considered seven leading biometric technologies: facial recognition,
fingerprint recognition, hand geometry, iris recognition, retina
recognition, signature recognition, and speaker recognition. Four--
facial recognition, fingerprint recognition, hand geometry, and iris
recognition--appear to be suitable for border control applications. All
four have been used in border control pilots and applications. The
three other technologies have key problems that inhibit their use for
border control. Retina recognition is considered to be too intrusive
because many users experience discomfort in using the devices, which
operate close to their eyes. Signature recognition has a high error
rate because it has been found that people do not always sign their
name the same way each time. Speaker recognition has been piloted in a
border control environment but has been found to be unreliable. Also,
speaker recognition systems do not perform well in noisy environments
such as would be encountered at ports of entry.
The emerging technologies we considered--facial thermography, gait
recognition, ear shape recognition, DNA matching, odor sensing, blood
pulse measurement, skin pattern recognition, vein scan, and nailbed
identification--are in various stages of development and have not yet
been used in border control applications.
Fingerprint recognition has been widely used and accepted, primarily in
law enforcement, for four decades. Facial recognition can be used to
compare either a live facial scan to a stored biometric template or a
static image to a digitized photograph. Facial images are already
prevalent in travel documents, and people are accustomed to having
their picture taken. Hand geometry has been widely used in access
control applications and is relatively easy to use. Iris recognition
identifies people by numerous characteristics of the colored ring
surrounding the pupil of the eye, some of which tend to remain stable
throughout life.
In order to differentiate between biometric technology products, they
are often characterized by factors such as accuracy, testing,
standards, and user acceptance. The accuracy of a biometric technology
is usually measured by three key error statistics: the rate at which a
system erroneously matches a person, the rate at which a system
erroneously does not match a person, and the rate at which people are
unable to enroll in a system. To evaluate biometric technologies, the
results of independent tests should be consulted. In addition, tests
have been conducted in which researchers have successfully fooled
biometric systems with artificial characteristics such as a latex
finger or a facial picture. Adherence to standards enhances the ability
of a biometric device to store and exchange data. Another factor to
consider in selecting a biometric technology is the ease of use. Some
people find biometric technologies difficult, if not impossible, to
use. Still others resist biometrics in general as intrusive, inherently
offensive, or just uncomfortable to use.
No biometric technology is best for every situation, but it is possible
to determine the most accurate, easiest to use or deploy, or cheapest,
depending on the objectives to be achieved. For example, hand geometry
requires the least data storage, fingerprint and iris recognition have
the lowest error rates, and facial recognition is the easiest to use.
However, each technology also has its limitations. For example, about 2
to 5 percent of people cannot be easily fingerprinted because their
fingerprints have become dry or worn from age, extensive manual labor,
or exposure to corrosive chemicals. Facial recognition systems have not
performed particularly well in independent testing. Iris recognition is
a relatively new technology and has not been used in any large
operational applications as fingerprint and facial recognition systems
have. Hand geometry is not highly distinctive and thus is not suitable
for identification applications. These limitations and others would
have to be considered if these technologies were to be deployed within
a border control system. (More details on the biometric technologies
can be found in chapter 3 and appendixes II to V.):
Scenarios for Using Biometric Technologies for Border Security:
We developed and analyzed four different scenarios in which
fingerprint, facial, or iris recognition biometric technologies or some
combination of them could be used to improve current border control
procedures. Two scenarios use a biometric watch list to identify
travelers who are inadmissible to the United States (1) before issuing
travel documents or (2) before travelers enter the country. To help
bind travelers to their travel document, two other scenarios could be
used to incorporate biometrics into (1) U.S. visas or (2) U.S.
passports. These four scenarios can be implemented independently or in
combination.
The first scenario involves the use of facial recognition to help
identify people ineligible to receive a passport or a visa. The
biometric identification check would be conducted at the same time as
other computer checks are conducted on each travel document
application. The second scenario uses an automated facial recognition
system at the ports of entry that can observe a person’s face and check
the observed facial features against a watch list of people who should
be denied access to the country. Both scenarios require the creation of
a biometric-based watch list that stores photographs of individuals
selected according to criteria determined by border security and other
law enforcement agencies. While both scenarios require a centralized
facial recognition server to perform matches, performing checks at the
ports of entry would also require the purchase of facial recognition
systems for the almost 4,000 inspection stations at the ports of entry.
The two other scenarios introduce biometrics to visas and passports. In
both of these scenarios, travel document applicants would be required
to have their biometric sample collected--at 1 of 210 embassies and
consulates for visa applicants or at 1 of 4,500 passport acceptance
offices for passport applicants. As part of the enrollment and document
issuance process, an additional identification check of applicants
would be made against the database of issued documents to ensure that a
person does not receive multiple documents under different identities.
Biometric scanners would also have to be installed at the ports of
entry to verify the identity of travelers with biometrically enabled
travel documents.
The Effect on Border Control Processes:
The successful implementation of any technology depends not only on the
performance of the technology but also on the operational processes
that employ the technology and the people who execute them. The
implementation of biometrics in border security is no exception.
Further, the use of technology alone is not a panacea for the border
security problem. Instead, biometric technology is just a piece of the
overall decision support system that helps determine whether to allow a
person into the United States. The first decision is whether to issue
travelers a U.S. travel document. The second decision, made at the
ports of entry, is whether to admit travelers into the country.
Biometrics can play a role in both decisions. Sorting the admissible
travelers from inadmissible ones is now done by using information
systems for checking names against watch lists and by using manual
human recognition capabilities to see if the photograph on a travel
document matches the person who seeks entry to the United States. When
enabled with biometrics, automated systems can verify the identity of
the traveler and assist inspectors in their decision making.
The four biometric scenarios will affect key border security processes.
A key factor is the performance of the biometric technology. For
example, if the biometric technology that is used to perform watch list
checks before travel documents are issued has a high rate of false
matches, workload could increase at the embassies and consulates for
visas and at the passport centers for passports. If the same biometric
solution were used at the ports of entry, it could lead to increased
delays in the inspection process and an increase in the number of
secondary inspections.
Exception processing will have to be carefully considered. Exceptions
include people who fail to enroll in a system or are not correctly
matched by a verification system. Exception processing that is not as
good as biometric-based primary processing could be exploited as a
security hole. Failure of equipment must also be considered and planned
for. Further, for issuing visas or passports with biometrics, an
appropriate transition strategy must be devised to simultaneously
handle biometric travel documents and the current travel documents that
could remain valid without biometrics for the next 10 years.
Maintaining Information Security:
Implementing biometrically enabled travel documents requires a strong
binding and verification process to tie individuals to their identities
using their biometrics. A process that does not have strong binding
mechanisms can provide little improvement over existing procedures. A
failure in the enrollment or the verification process could undermine
the use of biometric technologies. For example, procedures must be
developed to handle individuals who could not be enrolled in the
system. Even if individuals are properly enrolled, they might not be
properly matched during inspection. Adequate procedures have to be in
place to properly differentiate between system problems and persons who
are impostors or otherwise inadmissible to the United States.
Information security also is important in ensuring strong binding. If
rogue individuals can modify the biometric database or the token on
which individual biometric records are stored, a person’s bond to his
or her biometric data can be compromised.
Weighing Costs and Benefits:
Before any significant project investment is made, the benefit and cost
information of the project should be analyzed and assessed in detail.
The project concept should be based on high-level system goals, which
for a border control system would include items such as binding a
biometric feature to a person’s identity on a travel document,
identifying undesirable persons on a watch list, checking for duplicate
enrollments in the system, verifying identities at the borders,
ensuring the security of the biometric data, and ensuring the adequacy
of privacy protections.
The desired benefit of all the scenarios we describe--the use of
biometric watch lists or biometrically enabled travel documents--is the
prevention of the entry of travelers who are inadmissible to the United
States. More specifically, the use of a biometric watch list can
provide an additional check to name-based checks and can help detect
travelers who are trying to evade detection and have successfully
established separate names and identities. The use of passports and
visas with biometrics can help positively identify travelers as they
enter the United States and can limit the use of fraudulent documents,
including counterfeit and modified documents and impostors’ use of
legitimate documents.
These benefits have several limitations. First, the benefit achieved in
each scenario is directly related to the performance of the biometric
technology. The performance of facial, fingerprint, and iris
recognition is unknown for systems as large as a biometric visa system
that would require the storage and comparison against 100 million to
240 million records. The largest facial, fingerprint, and iris
recognition systems contain 60 million, 40 million, and 30,000 records,
respectively.
For the watch list scenarios, the population of the watch list is
critical to the system’s effectiveness. Issuing passports and visas
with biometrics will only assist in identifying those currently
required to obtain passports or visas to enter this country. For
example, U.S. citizens do not have to have a passport to return from
Canada or Mexico. Canadians, Mexicans with border crossing cards, and
aliens participating in the visa waiver program do not have to have a
visa to enter the United States. The issuance of passports and visas
with biometrics is also dependent on establishing the correct identity
during enrollment. This process will typically be dependent on the
presentation of identification documents. If the documents do not
specify the applicant’s true identity, then the travel document will
still be linked to a false identity.
Further, biometric technology is not a solution to all border security
problems. Biometric technology can address only problems associated
with identifying travelers at official locations such as embassies,
passport acceptance offices, and ports of entry. While the technology
can help reduce the number of illegal immigrants who cross with
fraudulent documents, it cannot help with illegal immigrants who cross
“between the borders” and not at a port of entry. INS has previously
estimated that up to 60 percent of the 275,000 new illegal immigrants a
year do not present themselves at a port of entry to enter the United
States. In addition, biometrics cannot help with aliens who enter
through ports of entry and are properly admitted by an inspector but
may overstay their visit.
The security benefits gained from the use of biometrics must be weighed
against the cost of implementing the scenario. For each of the four
scenarios, we created cost models to estimate the cost of developing,
implementing, and maintaining various biometric processes. We included
the costs of both the technology and the effects on people and
processes. Table 3 summarizes the initial and annual recurring costs of
implementing each scenario. The initial costs include elements such as
development, installation, training, biometric hardware and software,
and consular facility renovation. The recurring costs include elements
such as biometric hardware and software maintenance, system support and
operational personnel, consular personnel, facility maintenance, and
annual supplies. While the costs of people and space required to enroll
travelers in biometric systems at embassies and consulates are
included, the costs of people and space required to verify the
biometrics at ports of entry are not included. Consular staff and space
are major cost drivers. For example, for issuing visas with biometrics,
these costs make up between 21 percent and 31 percent of the system’s
total initial cost and between 23 percent and 29 percent of its total
recurring cost.
Table 3: Estimated Costs for Implementing Border Security Scenarios:
Scenario: Watch list check before issuing travel documents; Initial
cost: $53; Annual recurring cost: $73.
Scenario: Watch list check before entering the United States; Initial
cost: 330; Annual recurring cost: 237.
Scenario: Issuing visas with biometrics; Initial
cost: 1,399-2,845; Annual recurring cost: 698-1,482.
Scenario: Issuing passports with biometrics; Initial
cost: 4,446-8,766; Annual recurring cost: 1,555-2,363.
Note: Dollars are in millions.
Source: GAO analysis.
[End of table]
The watch list scenarios assume the use of facial recognition
technology, because faces from photographs are often the only biometric
available for individuals who may be inadmissible to the United States.
Travel documents with biometrics can use facial, fingerprint, or iris
recognition or some combination of the three.
Protecting Privacy and Civil Liberties:
The Privacy Act of 1974 limits federal agencies’ collection, use, and
disclosure of personal information, including personal information such
as finger or voice print and photographs. Accordingly, the Privacy Act
generally covers federal agency use of personal biometric information.
However, as a practical matter, the act is likely to have a more
limited application for border security. First, the act applies only to
U.S. citizens and lawfully admitted permanent resident aliens. Second,
the act includes exemptions for law enforcement and national security
purposes. Representatives of civil liberties groups and privacy experts
have expressed concerns regarding (1) the adequacy of protections for
security, data sharing, identity theft, and other identified uses and
(2) secondary uses and “function creep.” The Internal Revenue Service,
the RAND Corporation, and IBG have developed privacy frameworks that
establish guidelines on issues with the scope and capabilities of
biometric systems, the protection of data, the protection of users, and
the disclosure, auditing, accountability, and oversight of biometric
systems.
The Effect on Convenience, the Economy, and International Relations:
Any lengthening in the process of obtaining travel documents or
entering the United States could affect travelers significantly. At
some consular posts, visas are issued the day applications are
received. Even without biometrics, the busiest ports of entry regularly
have delays of 2 to 3 hours. Increases in inspection times could
compound these delays. Delays inconvenience travelers and could result
in fewer visits to the United States or lost business to the nation.
Further studies will be necessary to measure what the potential effect
could be on the American economy and, in particular, on the border
communities. These communities depend on trade with Canada and Mexico,
which totaled $653 billion in 2000.
Finally, the use of biometrics in the United States could affect the
number of international visitors and how other countries treat visitors
from the United States. Visitors from some countries may not want to
come to the United States if it is less convenient to do so. In
addition, because much of visa issuance policy is based on reciprocity-
-the process for allowing a nation’s citizens to enter the United
States is similar to the process followed by that nation for visitors
from the United States--other nations may start requiring biometric
samples from U.S. citizens if the United States requires biometric
samples from their citizens. (More details on costs and benefits, as
well as the potential implications, of using biometrics are provided in
chapter 5.):
The Role of Biometrics in Border Security:
People are identified by three basic means: by something they know,
something they have, or something they are. Current U.S. border
security processes identify travelers by using travel documents such as
passports and visas and asking travelers questions--things the
travelers have and know. The travel document also establishes a
traveler’s eligibility to enter the country.
The use of biometrics--things the travelers are--can more securely bind
a person’s identity to a travel document. Two processes are keys to
achieving this binding. First, a strict and thorough enrollment step is
necessary to bind a person to an identity. The identity claimed by the
traveler is based on documents such as a birth certificate, passport,
or other government-issued documents. If processes are not in place to
ensure the validity of the traveler’s claimed identity, the person
could be linked with a false identity. Second, an effective matching
process is required to link the person to the travel document. If a
person can bypass the biometric check or can deceive the biometric
system, the person may be erroneously granted admission to the United
States. The performance of the biometric technology is also important
to the execution of these processes. Effective enrollment and matching
processes could allow for the use of biometric-enabled travel documents
that will establish not only the traveler’s eligibility to enter the
country but also that the traveler is indeed the individual depicted on
the document.
However, biometric technology is just one component of the decision
support systems that help determine who is allowed to enter the United
States and who is not. For example, the technologies may be able to
reduce document fraud but may not be able to detect illegal entry to
the United States through other than official ports of entry. A risk-
based approach would be helpful in addressing the overall border
security problem and the high-level goals that can be achieved with
biometric technologies. The approach could rely on answering five basic
questions: What are we protecting? Who are the adversaries? What are
the vulnerabilities? What are the priorities? What mitigation
strategies can be used? A decision to implement our four scenarios or
any others should be based on an approach that answers these questions.
The scenarios could be partially implemented or combined in different
ways. New scenarios could be defined in which travelers voluntarily
enroll in a biometric identification system similar to INSPASS for
expedited border crossing. Trade-offs should be made to determine the
best implementation of biometrics for border security. For example, a
partial implementation may be less costly without sacrificing any of
the security benefits.
Regardless of how biometric technology is used in border security,
using a risk-based approach should help in developing the high-level
goals of a system and its concept of operation. The answers should also
help point out the limitations of such a system and what it will not be
able to provide. They can also play a role in the analysis and
weighting of the benefits in a cost-benefit analysis, as well as the
trade-off analysis between greater security and issues such as privacy
and the economy. With these answers, the proper role of biometric
technology in border security can be determined.
[End of section]
Chapter 1 Introduction:
A primary element of the homeland security strategy is the improvement
of U.S. border security--preventing the illegal entry of people and
goods into the United States while facilitating their legitimate flow.
Security concerns need to be balanced with practical cost and
operational considerations as well as political and economic interests.
The United States shares a 5,525 mile border with Canada and a 1,989
mile border with Mexico. Its maritime border includes 95,000 miles of
shoreline. There were more than half a billion border crossings into
the United States last year; about two-thirds were not by U.S.
citizens. The number of distinct travelers into the country each year
is unknown because some people enter the country many times in one
year, some daily.
Facilitating the flow of people while preventing illegal border
crossings is a matter of identifying travelers. People are identified
by three basic means: by something they know, something they have, or
something they are. People and systems regularly use these means to
identify people in everyday life. For example, members of a community
routinely recognize one another by how they look or how their voices
sound--by something they are. Automated teller machines (ATM) recognize
customers from their presentation of a bank card--something they have-
-and their entering a personal identification number (PIN)--something
they know. Using keys to enter a locked building is another example of
using something you have. More secure systems may combine two or more
of these approaches.
Generally, identifying travelers at the borders is performed by
inspecting their travel documents, such as passports and visas, and
asking them questions--things the travelers have and know. The U.S.
Department of State issues passports to U.S. citizens and visas to
others who are not U.S. citizens. The Immigration and Naturalization
Service (INS) inspects these travel documents at officially designated
air, land, and sea ports of entry.
Technologies called biometrics can automate the identification of
individual travelers by one or more of their distinct physical or
behavioral characteristics. Biometrics have been suggested as a way of
improving the nation’s ability to positively determine whether people
are admissible to the United States. The term biometrics covers a wide
range of technologies that can be used to verify identity by measuring
and analyzing human characteristics--relying on attributes of the
individual instead of things the individual may have or know.[Footnote
1]
Identifiable physiological characteristics include fingerprints,
irises and retinas, hand geometry, and facial geometry. How a person
signs his or her name is an example of an identifiable behavioral
characteristic while speech combines both physiological and behavioral
characteristics. To be effective identifiers, biometrics should be
universally present, unique to the individual, and stable over time.
Biometrics theoretically represent a more effective approach to
security because each person’s biometric characteristics are distinct
and, when compared with identification cards and passwords, are less
easily lost, stolen, or guessed.
The Federally Mandated Biometric Chimera System:
Biometrics have already been implemented to a limited degree in U.S.
border control systems. For example, the INS Passenger Accelerated
Service System (INSPASS) has identified travelers and expedited their
inspections at nine North American airports for almost 10 years. The
Congress has mandated a more extensive use of biometrics in automated
border control systems. A series of laws enacted between 1996 and
spring 2002 requires the federal government to develop Chimera, an
automated information system, to gather and share information among
agencies about aliens seeking to enter or stay in the United
States.[Footnote 2] The major requirements for the Chimera system are
(1) biometric identifiers; (2) machine-readable visas, passports, and
other travel and entry documents; and (3) interoperability among all
State Department, INS, and federal law enforcement and intelligence
agency systems that contain information about aliens. Chimera will be
used to screen applicants for visas and admission to the United States,
identify inadmissible and deportable aliens, track lost and stolen
passports, monitor foreign students studying in the United States, and
help administer law enforcement and national security.[Footnote 3]
The State Department, the Justice Department, and the National
Institute of Standards and Technology (NIST) were to report jointly to
the Congress by November 10, 2002, to assess the action needed to
implement machine-readable, tamper-resistant travel and entry
documents and the biometric comparison and authentication of such
documents. By October 26, 2004, State and Justice are to issue to
aliens only machine-readable, tamper-resistant visas and other travel
and entry documents that use biometric identifiers. At the same time,
Justice is to install at all ports of entry equipment and software that
allow the biometric comparison and authentication of all U.S. visas and
other travel and entry documents issued to aliens and machine-readable
passports.
To provide the technological basis for Chimera by January 26, 2003, as
well as its supporting systems and databases, NIST is to develop a
technology standard, including biometric identifier standards for
verifying individual identities.
To address concerns about how information in the system will be used,
particularly with regard to privacy protection and security, the law
mandates that several steps be taken by October 26, 2002. First, the
plan for sharing law enforcement and intelligence information with the
State Department and INS must establish conditions for State’s and
INS’s use of the information that include their:
* limiting its redissemination;
* ensuring that it is used solely for authorized purposes, with
criminal penalties for its misuse;
* ensuring its accuracy, security, and confidentiality;
* protecting privacy rights;
* providing data integrity by removing obsolete and incorrect
information; and:
* protecting intelligence sources and methods.[Footnote 4]
Second, the Department of State and the Department of Justice are to
report jointly on the “development, implementation, efficacy, and
privacy implications” of a “cross-agency, cross-platform electronic
system” for sharing law enforcement and intelligence information
regarding aliens seeking to enter the United States.[Footnote 5]
Third, the president is to establish a commission on interoperable data
sharing to oversee Chimera.[Footnote 6] The commission’s duties include
monitoring the protections outlined above and considering
recommendations regarding security innovations, the adequacy of privacy
protections, the adequacy of mechanisms for correcting errors, and
other protections against the unauthorized use of data in the system.
An Overview of This Report:
This technology assessment focuses on four key questions:
5. What biometric technologies are currently deployed, currently
available but not yet deployed, or in development that could be
deployed in the foreseeable future, for use in securing the nation’s
borders?
6. How effective are these technologies now or likely to be in the
future in helping provide security to our borders?
7. What are the economic and effectiveness trade-offs of implementing
these technologies?
8. What are the implications of using biometric technologies for
personal security and the preservation of individual liberties?
To answer these questions, we first describe current border control
procedures for admitting people to the United States--issuing visas to
citizens of other nations and passports to U.S. citizens and inspecting
travelers at the ports of entry. Second, we describe how biometric
technologies work, including the different types of biometric
technologies, their levels of maturity, and their operating and
performance characteristics. We also describe current applications of
various biometric technologies.
We present four possible scenarios in which biometrics might be applied
to current U.S. border control procedures. For each scenario, we
analyze some of the costs, benefits, and risks associated with
implementation. Finally, we sum up the implications and challenges to
be faced if a biometric system is to be designed and deployed for
border security.
[End of section]
Chapter 2 Today’s U.S. Border Control Procedures:
Last year, there were more than half a billion border crossings into
the United States at almost 400 designated ports of entry. Many of
these border crossings were by travelers who crossed the border many
times in 1 year, some daily. Table 4 shows that the vast majority of
inspections--those at border crossings--are at land ports. At land
ports of entry in fiscal year 2001, more than 414 million border
crossers entered the United States as one of more than 56 million
pedestrians or in one of more than 140 million vehicles.
Table 4: Number of Inspections at U.S. Ports of Entry, Fiscal Year
2001:
Type of port: Sea; Number of ports: 86; Number of inspections:
11,952,501.
Type of port: Air; Number of ports: 155; Number of inspections:
79,598,681.
Type of port: Land; Number of ports: 154; Number of inspections:
414,364,965.
Type of port: Total; Number of ports: 395; Number of inspections:
505,916,147.
Source: GAO analysis of INS data.
[End of table]
The laws and regulations governing entry into the United States and the
conditions of stay vary by citizenship and method of travel.[Footnote
7] In general, entry must be accompanied by the appropriate travel
documents. U.S. citizens generally must have a U.S. passport to leave
or enter the United States. Immigrants generally must have either a
U.S. permanent resident card or an immigrant visa and a passport from
their own country. Nonimmigrants generally must have a passport from
their country and a nonimmigrant visa. The numerous exceptions to these
rules include the following:
* Passports are not required of U.S. citizens returning from Canada or
Mexico.[Footnote 8]
* Passports are not required of Canadian citizens unless they are
returning from outside the Western Hemisphere. Visas are generally not
required for Canadian citizens.
* Passports and visas are not required of Mexican citizens who possess
a border crossing card issued by the U.S. government allowing them to
enter for business or pleasure.
* Visas are not required of citizens of countries participating in the
visa waiver program who enter for business or pleasure.[Footnote 9]
The United States relies on two primary procedures to facilitate the
entry of people authorized to enter the country and to ensure that
inadmissible people are prevented from entering. The State Department’s
Bureau of Consular Affairs issues international travel documents,
including passports to U.S citizens and visas to people who are not
U.S. citizens. INS inspects travelers entering the United States
through official ports of entry. In addition, INS’s Border Patrol is
responsible for securing the borders and apprehending travelers
entering through other than official ports of entry.
How U.S. Passports Are Issued:
U.S. citizens can apply for a passport at more than 4,500 passport
acceptance offices (see figure 1). Few of these are State Department
offices; most are offices in facilities such as U.S. post offices or
state, county, township, and municipal government offices. All first-
time applicants for a passport must appear before a passport acceptance
agent at one of these offices.
Figure 1: The U.S. Passport Application Process:
Source: GAO adaptation of State Department data.
[See PDF for image]
[End of figure]
Passport applicants must submit a passport application, proof of U.S.
citizenship, proof of identity, two passport photographs, and the
application fee. Passport acceptance agents, trained by the State
Department to look for potential fraud, review application packages and
may ask for additional documentation at their discretion. The agents
fill out an observation checklist that includes any concerns they have
about the validity of an applicant’s identity or citizenship documents.
Passport acceptance agents also are to ensure that the photographs
match the applicant. The acceptance agents send the application
packages to a central application processing center.
Applicants submitting renewal applications may mail them directly to
the central application processing center. The old passport, which can
serve as proof of identity and citizenship, is sent with the renewal
application. About 25 percent of the passport applications the State
Department receives arrive through the mail.
At the central application processing center, the application
information is electronically keyed into State’s computer system, and
the application package is forwarded to 1 of 16 State Department
passport centers. State’s computer systems conduct the following
checks:
* A name check, using the Consular Lookout and Support System (CLASS).
CLASS, which is used also before U.S. visas are issued, contains
lookout records of people who may be ineligible to receive a passport
and is populated from a variety of sources, including intelligence,
immigration, and child support enforcement data. CLASS also includes
information on passports and visas reported lost and stolen. Passport
applicants are checked against about 3.2 million records in CLASS.
* A check to determine if the applicant already has an active U.S.
passport. An estimated 55 million U.S. passports are currently valid.
* A check to determine if the applicant has multiple passport
applications in progress.
At the passport centers, passport examiners review each application,
including the results of the computer checks, and determine whether to
issue passports. A passport may be refused to an applicant for a
variety of reasons: The applicant may be subject to an outstanding
federal warrant for a felony, subject to a court order committing the
applicant to a mental institution, or in arrears for child support
payments in excess of $5,000.[Footnote 10]
A passport examiner looks at an entire application as a whole. A “hit”
on one of the computer checks does not necessarily result in a rejected
application. For example, some government officials who apply may have
both a personal passport and an official passport. The passport
examiner may resolve name check hits with other data such as place of
residence or Social Security number to differentiate between people who
may have the same name but are not the same person. If the examiner
suspects a problem with the application package, the case can be given
to a fraud program manager, who can perform a more detailed
investigation, such as verifying the authenticity of the identification
or citizenship documents.
If the passport examiner is satisfied that the applicant’s documents
are authentic and that there is no reason to deny a passport, then the
examiner approves the application and the applicant is issued a U.S.
passport. Normally, the process takes about 6 weeks. Annually, the
State Department issues about 7 million passports that are valid for
either 5 or 10 years, depending on the type of passport and the age of
the applicant. U.S. passports are depicted in figures 2 and 3.
Figure 2: A U.S. Passport Cover:
Source: State Department.
[See PDF for image]
[End of figure]
Figure 3: A U.S. Passport’s Biography Page:
Source: State Department.
[See PDF for image]
[End of figure]
How U.S. Visas Are Issued:
With some exceptions, foreign visitors must present a visa to enter the
United States. Applicants can apply in person for an immigrant or
nonimmigrant visa at 210 American embassies or consulates (see figure
4). The vast majority of issued U.S. visas are nonimmigrant visas. An
applicant for a nonimmigrant visa must submit an application, passport,
and photograph.[Footnote 11] Some applications may be submitted by mail
or in a drop box outside the embassy or consulate. About 37 percent are
submitted this way.
Figure 4: The U.S. Visa Application Process:
Source: GAO adaptation of State Department data.
[See PDF for image]
[End of figure]
After the data are keyed into the State Department’s visa computer
system, a consular officer reviews the application package. The officer
may interview the applicant, depending on the consular post and the
type of visa being applied for. Computer checks are conducted:
* A name check, using CLASS, looks for any matches with individuals who
may be ineligible to receive a visa. Visa applications are checked
against about 6.5 million records in CLASS.[Footnote 12] CLASS also
includes records of lost and stolen passports reported by other
countries.
* A check, using the Consular Consolidated Database (CCD), determines
whether the applicant has previously applied for a visa or currently
has a valid U.S. visa. CCD stores information about visa applications,
issuances, and refusals and obtains information about visa cases every
5 to 10 minutes from each consular post. CCD has about 58 million visa
records.
The consular officer makes a decision on whether to issue a visa, based
on information gathered from the visa application, passport, supporting
documentation, interview (if applicable), and computer checks. In some
cases, such as a name-check hit in CLASS, a security advisory opinion
from State Department headquarters may also be required. Visas may be
denied for a variety of reasons, including health-related reasons,
certain criminal offenses, and immigration violations.[Footnote 13]
Using fraudulent documents to obtain a U.S. visa is also grounds for
denial.
For nonimmigrant visas, the consular officer must be satisfied that an
applicant is not intending to become an immigrant. If the consular
officer is satisfied that the applicant’s documents are authentic and
that there is no reason to deny a visa, then the officer approves the
application and a visa is issued (see figure 5). The process can take
from a day to several weeks to complete. Last year, of the 10.5 million
applications received, about 7.5 million nonimmigrant visas were
issued. Depending on the type of visa and the nationality of the
applicant, visas can be issued for up to 10 years.
Figure 5: A U.S. Visa Foil:
Source: State Department.
[See PDF for image]
[End of figure]
Inspection at U.S. Ports of Entry:
Lawful entry into the United States generally must be completed through
an official air, land, or sea port of entry. Nearly 82 percent of the
more than 500 million inspections occur at land ports. Travelers’
nationalities and how they enter dictate the primary inspection
procedures (see figure 6). A primary inspector is to question each
traveler regarding his or her identity and purpose for entering the
United States. In addition, the nspector can inspect a traveler’s
travel documents and perform computer checks on the traveler’s name or
motor vehicle license plate. While the State Department is responsible
for initially granting or denying permission to come to the United
States, inspectors ultimately decide whether to allow the traveler into
the country at the ports of entry. The issuance of a U.S. visa does not
guarantee permission to enter.
Figure 6: The U.S. Port of Entry Inspection Process:
Source: GAO adaptation of INS data.
[See PDF for image]
[End of figure]
At primary inspection, the INS inspector either permits travelers to
enter or refers them to secondary inspection, where a more detailed
review of the travel documents or further questioning can be conducted
by another INS inspector. People may be refused entry for the same
reasons they can be denied a visa. For U.S. citizens, once an inspector
is convinced that a traveler is a citizen, the inspection is considered
complete for immigration purposes. However, checks can still be
conducted to determine whether the person is wanted by law enforcement
authorities.
Overall, in fiscal year 2001, about 1.7 percent of travelers entering
the United States were referred to secondary inspection. Of those
referred, about 8 percent were denied admission to the United States.
The numbers in fiscal year 2001 were:
* primary inspections: 505,916,147,
* secondary inspections: 8,838,624, and:
* travelers denied admission: 707,920.
At air ports of entry, commercial carriers are required to submit
passenger and crew manifests to INS through the Advance Passenger
Information System (APIS) for flights into the United States. For each
passenger, the first and last name, date of birth, nationality, and
passport number are transmitted. With information from APIS, INS
passenger analysis units can analyze intelligence on passengers before
flights arrive and identify passengers who will require referral to
secondary inspection.
Primary inspectors are to examine travel documents from all travelers
at air ports of entry. A name check is also to be conducted on all
travelers, using the Interagency Border Inspection System (IBIS).
Machine-readable passports are read with IBIS; the primary inspector
manually types in the names of travelers who do not have machine-
readable passports. IBIS is a multiagency database of lookout
information that alerts inspectors of conditions that may make
travelers inadmissible to the United States. It also provides
information about warrants for U.S. citizens who may be wanted by U.S.
law enforcement agencies. IBIS contains data from law enforcement and
other agencies with inspection responsibilities at the ports of entry,
including the Animal Plant Health Inspection Service, the Drug
Enforcement Administration, and the Federal Bureau of Investigation
(FBI).
At sea ports of entry, some commercial carriers submit passenger
manifests to INS through APIS before docking.[Footnote 14] As at
airports, INS’s passenger analysis units identify passengers who
require further examination when they enter the United States. At sea
ports of entry equipped with IBIS, the operation is very similar to
that at an airport. However, at most sea ports of entry, inspections
are conducted aboard a vessel. When the vessel docks, it is sealed so
that no goods or persons can be offloaded until it has been inspected.
INS inspectors board ships with the Portable Automated Lookout System
(PALS) housed on a laptop computer. PALS contains lookout information
but does not have as many records as IBIS and is not updated as often.
INS inspectors use PALS to perform name checks and examine documents of
all aliens aboard a vessel. For U.S. citizens, only documents are
checked. The inspection process on some of the larger cruise ships can
take up to 6 hours to complete.
At land ports of entry, the procedures differ for pedestrians and those
in vehicles. In addition, at land ports, INS shares primary inspection
responsibilities with the Customs Service of the Treasury Department.
INS and Customs inspectors are cross-designated to perform each other’s
primary inspection duties so that either inspector may conduct the
primary inspection, following both INS and Customs procedures. INS has
established procedures to examine travelers expeditiously at many land
ports of entry because of the large volume of traffic at land
crossings. Figure 7 shows vehicles waiting at a U.S. land port of
entry.
Figure 7: Motor Vehicles Waiting for Inspection at the Paso del Norte
Port of Entry, El Paso, Texas:
Source: GAO.
[See PDF for image]
[End of figure]
For pedestrians at land ports of entry, generally all travelers’
documents are to be checked. If IBIS is available, a traveler’s name is
either machine-read from the machine-readable passport or manually
keyed in by an inspector. U.S. citizens are not required to have a
passport when entering at a land port. Usually, they need only make an
oral declaration of U.S. citizenship. Similarly, at land ports of
entry, Canadians are not required to have a passport. Mexicans who
possess a border crossing card are not required to present either a
Mexican passport or a U.S. visa.[Footnote 15] Approximately 5 million
border crossing cards have been issued to Mexican nationals.
For vehicles at land ports of entry, license plates of all vehicles are
to be checked through IBIS. Some ports are equipped with automated
license plate readers. At others, an inspector manually keys license
plate information into IBIS as vehicles approach the inspection booth.
As with a name check, IBIS contains lookout information that alerts
inspectors of conditions that may make the occupants of a vehicle
inadmissible. Documents and names of the vehicle’s occupants are
checked randomly or when an inspector suspects that something is wrong.
Figure 8 shows a driver being questioned at a land port of entry.
Figure 8: A Driver Being Questioned at a Port of Entry:
Source: U.S. Customs Service.
[See PDF for image]
[End of figure]
At land borders, aliens who require additional documentation, such as
an Arrival/Departure Record, are to be referred to secondary inspection
and queried through IBIS. This includes aliens in possession of a
nonimmigrant visa and those traveling under the visa waiver program.
Some land ports of entry have implemented a program called Secure
Electronic Network for Travelers Rapid Inspection (SENTRI) to expedite
the inspection of vehicles and their occupants. With SENTRI, border
crossers register their vehicles and up to eight occupants, who are
checked against the IBIS database. Vehicles are identified when
approaching a SENTRI-equipped port of entry, using a transponder
installed on the vehicles. Pictures taken of each potential vehicle
occupant at registration are presented to the primary inspector on a
computer screen in the inspection booth when a vehicle drives up. The
inspector visually compares the pictures against the people in the
vehicle. SENTRI has reduced the average inspection time for each
vehicle to about 10 seconds from the earlier 30 to 40 seconds.
Similar to SENTRI, other vehicle ports of entry have implemented a
program called NEXUS that is run jointly by the United States and
Canada. Instead of issuing a transponder to a vehicle, a proximity card
is issued to each registered traveler that is detected as a vehicle
approaches the inspection booth of a NEXUS-equipped port of entry.
Photographs of travelers detected by their proximity cards are
presented to the primary inspector, who can then verify the identity of
each vehicle’s occupants.
Regardless of the method of entry, secondary inspection gives
inspectors more time with travelers to determine their admissibility
than primary inspection. In deciding whether to admit a traveler, the
inspector reviews the traveler’s documents for accuracy and validity
and checks INS’s and other agencies’ databases for any information that
could affect the traveler’s entry, including criminal history
information from the FBI and nonimmigrant visa issuance data from the
State Department. A fingerprint identification system is also available
in secondary inspection to determine whether INS has apprehended the
person for immigration offenses or whether other law enforcement
agencies are looking for the person.
[End of section]
Chapter 3: Biometric Technologies for Personal Identification:
In this chapter, we define biometrics and explain how they work,
describe leading and emerging biometrics, and briefly introduce a few
of the most common applications of biometric technologies. In
considering how to apply biometrics to border control, we summarize
data related to accuracy, the lack of applications-dependent
evaluations, systems’ susceptibility to deception, the status of
standards, and users’ acceptance. After briefly comparing performance
data on the technologies now considered most viable for U.S. border
control--facial, fingerprint, and iris recognition and hand geometry--
we end the chapter with a short list of biometric systems in border
control situations today, here and in other countries.
Biometrics Defined:
When used for personal identification, biometric technologies measure
and analyze human physiological and behavioral characteristics.
Identifying a person’s physiological characteristics is based on direct
measurement of a part of the body--fingertips, hand geometry, facial
geometry, and eye retinas and irises. The corresponding biometric
technologies are fingerprint recognition, hand geometry, and facial,
retina, and iris recognition. Identifying behavioral characteristics is
based on data derived from actions, such as speech and signature, the
corresponding biometrics being speaker recognition and signature
recognition.
Biometrics are theoretically very effective personal identifiers
because the characteristics they measure are thought to be distinct to
each person. Unlike conventional identification methods that use
something you have, such as an identification card to gain access to a
building, or something you know, such as a password to log on to a
computer system, these characteristics are integral to something you
are. Because they are tightly bound to an individual, they are more
reliable, cannot be forgotten, and are less easily lost, stolen, or
guessed.
How the Technologies Work:
Biometric technologies vary in complexity, capabilities, and
performance, but all share several elements. Biometric identification
systems are essentially pattern recognition systems. They use
acquisition devices such as cameras and scanning devices to capture
images, recordings, or measurements of an individual’s characteristics
and computer hardware and software to extract, encode, store, and
compare these characteristics. Because the process is automated,
biometric decision making is generally very fast, in most cases taking
only a few seconds in real time.
Depending on the application, biometric systems can be used in one of
two modes: verification or identification. Verification--also called
authentication--is used to verify a person’s identity--that is, to
authenticate that individuals are who they say they are. Identification
is used to establish a person’s identity--that is, to determine who a
person is. Although biometric technologies measure different
characteristics in substantially different ways, all biometric systems
involve similar processes that can be divided into two distinct stages:
enrollment and verification or identification.
Enrollment:
In enrollment, a biometric system is trained to identify a specific
person. The person first provides an identifier, such as an identity
card. The biometric is linked to the identity specified on the
identification document. He or she then presents the biometric (e.g.,
fingertips, hand, or iris) to an acquisition device. The distinctive
features are located; one or more samples are extracted, encoded, and
stored as a reference template for future comparisons. Depending on the
technology, the biometric sample may be collected as an image, a
recording, or a record of related dynamic measurements. How biometric
systems extract features and encode and store information in the
template are based on the system vendor’s proprietary algorithms.
Template size also varies, depending on the vendor and the technology.
Although templates can range from 9 to 20,000 bytes, most are smaller
than 1,000 bytes. Such small sizes allow for rapid comparison.
Templates can be stored remotely in a central database or within a
biometric reader device itself; their small size also allows for
storage on smart cards or tokens.
Minute changes in positioning, distance, pressure, environment, and
other factors influence the generation of a template, making each
template likely to be unique, each time an individual’s biometric data
are captured and a new template is generated. Consequently, depending
on the biometric system, a person may need to present biometric data
several times in order to enroll. Either the reference template may
then represent an amalgam of the captured data or several enrollment
templates may be stored. The quality of the template or templates is
critical in the overall success of the biometric application. Because
biometric features can change over time, people may have to reenroll to
update their reference template. Some technologies can update the
reference template during matching operations.
The enrollment process also depends on the quality of the identifier
the enrollee presents. The reference template is linked to the identity
specified on the identification document. If the identification
document does not specify the individual’s true identity, the reference
template will be linked to a false identity.
Verification:
In verification systems, the step after enrollment is to verify that a
person is who he or she claims to be (i.e., the person who enrolled).
After the individual provides whatever identifier he or she enrolled
with, the biometric is presented, which the biometric system captures,
generating a trial template that is based on the vendor’s algorithm.
The system then compares the trial biometric template with this
person’s reference template, which was stored in the system during
enrollment, to determine whether the individual’s trial and stored
templates match (see figure 9).
Figure 9: The Biometric Verification Process:
Source: GAO.
[See PDF for image]
[End of figure]
Verification is often referred to as 1:1 (one-to-one) matching.
Verification systems can contain databases ranging from dozens to
millions of enrolled templates but are always predicated on matching an
individual’s presented biometric against his or her reference template.
Nearly all verification systems can render a match-no-match decision in
less than a second. A system that requires employees to authenticate
their claimed identities before granting them access to secure
buildings or to computers is a verification application.
Identification:
In identification systems, the step after enrollment is to identify who
the person is. Unlike verification systems, no identifier need be
provided. To find a match, instead of locating and comparing the
person’s reference template against his or her presented biometric, the
trial template is compared against the stored reference templates of
all individuals enrolled in the system (see figure 10). Identification
systems are referred to as 1:N (one-to-N, or one-to-many) matching
because an individual’s biometric is compared against multiple
biometric templates in the system’s database.
Figure 10: The Biometric Identification Process:
Source: GAO.
[See PDF for image]
[End of figure]
There are two types of identification systems: positive and negative.
Positive identification systems are designed to ensure that an
individual’s biometric is enrolled in the database. The anticipated
result of a search is a match. A typical positive identification system
controls access to a secure building or secure computers by checking
anyone who seeks access against a database of enrolled employees. The
goal is to determine whether a person seeking access can be identified
as having been enrolled in the system.
Negative identification systems are designed to ensure that a person’s
biometric information is not present in a database. The anticipated
result of a search is a nonmatch. Comparing a person’s biometric
information against a database of all who are registered in a public
benefits program, for example, can ensure that this person is not
“double dipping” by using fraudulent documentation to register under
multiple identities.
Another type of negative identification system is a surveillance system
that uses a watch list. Such systems are designed to identify people on
the watch list and alert authorities for appropriate action. For all
other people, the system is to check that they are not on the watch
list and allow them normal passage. The people whose biometrics are in
the database in these systems may not have provided them voluntarily.
For instance, for a surveillance system, the biometrics may be faces
captured from mug shots provided by a law enforcement agency.
No match is ever perfect in either a verification or an identification
system, because every time a biometric is captured, the template is
likely to be unique. Therefore, biometric systems can be configured to
make a match or no-match decision, based on a predefined number,
referred to as a threshold, that establishes the acceptable degree of
similarity between the trial template and the enrolled reference
template. After the comparison, a score representing the degree of
similarity is generated, and this score is compared to the threshold to
make a match or no-match decision. For algorithms for which the
similarity between two templates is calculated, a score exceeding the
threshold is considered a match. For algorithms for which the
difference between two templates is calculated, a score below the
threshold is considered a match. Depending on the setting of the
threshold in identification systems, sometimes several reference
templates can be considered matches to the trial template, with the
better scores corresponding to better matches.
Leading Biometric Technologies:
A growing number of biometric technologies have been proposed over the
past several years, but only in the past 5 years have the leading ones
become more widely deployed. Some technologies are better suited to
specific applications than others, and some are more acceptable to
users. Table 5 lists the seven leading biometric technologies we
describe in this section.
Table 5: Leading Biometric Technologies and Their Template Size:
Technology: Facial recognition; How it works: Captures and compares
facial patterns; Template size in bytes: 84 or 1,300[A].
Technology: Fingerprint recognition; How it works: Captures and
compares fingertip patterns; Template size in bytes: 250-1,000.
Technology: Hand geometry; How it works: Measures and compares
dimensions of hand and fingers; Template size in bytes: 9.
Technology: Iris recognition; How it works: Captures and compares iris
patterns; Template size in bytes: 512.
Technology: Retina recognition; How it works: Captures and compares
retina patterns; Template size in bytes: 96.
Technology: Signature recognition; How it works: Captures and compares
rhythm, acceleration, and pressure flow of signature; Template size in
bytes: 1,000-3,000.
Technology: Speaker recognition; How it works: Captures and compares
cadence, pitch, and tone of vocal tract; Template size in bytes:
10,000-20,000.
[A] Depending on the algorithm.
Source: GAO analysis of manufacturer data.
[End of table]
Facial Recognition:
Facial recognition technology identifies people by analyzing features
of the face not easily altered--the upper outlines of the eye sockets,
the areas around the cheekbones, and the sides of the mouth. The
technology is typically used to compare a live facial scan to a stored
template, but it can also be used in comparing static images such as
digitized passport photographs. Facial recognition can be used in both
verification and identification systems. In addition, because facial
images can be captured from video cameras, facial recognition is the
only biometric that can be used for surveillance purposes.
The two primary algorithms used in facial recognition systems are based
on the eigenface method and local feature analysis (LFA). The eigenface
method looks at the face as a whole and represents a person’s face as a
set of templates that require 1,300 bytes. LFA breaks down the face
into feature-specific fields, such as the eyes, nose, mouth, and
cheeks, creating an 84 byte template.
Fingerprint Recognition:
Fingerprint recognition is one of the best known and most widely used
biometric technologies. Automated systems have been commercially
available since the early 1970s, and there are currently more than 75
fingerprint recognition technology companies. Until recently, it was
used primarily in law enforcement applications.
Fingerprint recognition technology extracts features from impressions
made by the distinct ridges on the fingertips. The fingerprints can be
either flat or rolled. A flat print captures only an impression of the
central area between the fingertip and the first knuckle; a rolled
print captures ridges on both sides of the finger.
An image of the fingerprint is captured by a scanner, enhanced, and
converted into a template. Scanner technologies can be optical,
silicon, or ultrasound technologies. Ultrasound, while potentially the
most accurate, has not been demonstrated in widespread use. Optical
scanners are the most commonly used. During enhancement, “noise” caused
by such things as dirt, cuts, scars, and creases or dry, wet, or worn
fingerprints is reduced, and the definition of the ridges is enhanced.
Template size ranges from 250 bytes up to 1,000 bytes, depending on
which vendor’s proprietary algorithm the system uses. Approximately 80
percent of vendors base their algorithms on the extraction of minutiae
points relating to breaks in the ridges of the fingertips. Other
algorithms are based on extracting ridge patterns.
Hand Geometry:
Hand geometry systems have been in use for almost 30 years for access
control to facilities ranging from nuclear power plants to day care
centers. Hand geometry technology measures the width, height, and
length of the fingers, distances between joints, and shapes of the
knuckles.
Hand geometry systems use an optical camera and light-emitting diodes
with mirrors and reflectors to capture two orthogonal two-dimensional
images of the back and sides of the hand. Ninety-six measurements are
then extracted and a 9 byte template is derived, making it the smallest
in the biometric industry.
Although the basic shape of an individual’s hand remains relatively
stable over his or her lifetime, natural and environmental factors can
cause slight changes.
Iris Recognition:
Iris recognition technology is based on the distinctly colored ring
surrounding the pupil of the eye. Made from elastic connective tissue,
the iris is a very rich source of biometric data, having approximately
266 distinctive characteristics. These include the trabecular meshwork,
a tissue that gives the appearance of dividing the iris radially, with
striations, rings, furrows, a corona, and freckles. Iris recognition
technology uses about 173 of these distinctive characteristics. Formed
during the eighth month of gestation, these characteristics reportedly
remain stable throughout a person’s lifetime, except in cases of
injury.
Iris recognition systems use a small, high-quality camera to capture a
black-and-white, high-resolution image of the iris. They then define
the boundaries of the iris, establish a coordinate system over the
iris, and define the zones for analysis within the coordinate system.
The visible characteristics within the zones are then converted into a
512 byte template that is used to identify or verify the identity of an
individual.
Retina Recognition:
Retina recognition technology captures and analyzes the patterns of
blood vessels on the thin nerve on the back of the eyeball that
processes light entering through the pupil. Retinal patterns are highly
distinctive traits. Every eye has its own totally unique pattern of
blood vessels; even the eyes of identical twins are distinct. Although
each pattern normally remains stable over a person’s lifetime, it can
be affected by disease such as glaucoma, diabetes, high blood pressure,
and autoimmune deficiency syndrome.
The fact that the retina is small, internal, and difficult to measure
makes capturing its image more difficult than most biometric
technologies. An individual must position the eye very close to the
lens of the retina-scan device, gaze directly into the lens, and remain
perfectly still while focusing on a revolving light while a small
camera scans the retina through the pupil. Any movement can interfere
with the process and can require restarting. Enrollment can easily take
more than a minute. The generated template is only 96 bytes, one of the
smallest of the biometric technologies.
One of the most accurate and most reliable of the biometric
technologies, it is used for access control in government and military
environments that require very high security, such as nuclear weapons
and research sites. However, the great degree of effort and cooperation
required of users has made it one of the least deployed of all the
biometric technologies. Newer, faster, better retina recognition
technologies are being developed.
Signature Recognition:
Signature recognition authenticates identity by measuring handwritten
signatures. The signature is treated as a series of movements that
contain unique biometric data, such as personal rhythm, acceleration,
and pressure flow. Unlike electronic signature capture, which treats
the signature as a graphic image, signature recognition technology
measures how the signature is signed.
In a signature recognition system, a person signs his or her signature
on a digitized graphics tablet or personal digital assistant. The
system analyzes signature dynamics such as speed, relative speed,
stroke order, stroke count, and pressure. The technology can also track
each person’s natural signature fluctuations over time.
The signature dynamics information is encrypted and compressed into a
template that can range from slightly larger than 1,000 bytes to
approximately 3,000 bytes. These templates are large by biometric
standards and reflect the variety of data available in a typical
signature.
Speaker Recognition:
Differences in how different people’s voices sound result from a
combination of physiological differences in the shape of vocal tracts
and learned speaking habits. Speaker recognition technology uses these
differences to discriminate between speakers.
During enrollment, speaker recognition systems capture samples of a
person’s speech by having him or her speak some predetermined
information into a microphone or telephone a number of times. This
information, known as a passphrase, can be a piece of information such
as a name, birth month, birth city, or favorite color or a sequence of
numbers. Text independent systems are also available that recognize a
speaker without using a predefined phrase.
This phrase is converted from analog to digital format, and the
distinctive vocal characteristics, such as pitch, cadence, and tone,
are extracted, and a speaker model is established. A template is then
generated and stored for future comparisons. Voice templates are much
larger than templates generated from other biometric technologies,
typically 10,000 to 20,000 bytes.
Speaker recognition can be used to verify a person’s claimed identity
or to identify a particular person. It is often where voice is the only
available biometric identifier, such as telephone and call centers.
Emerging Biometric Technologies:
Newer biometric technologies using diverse physiological and behavioral
characteristics are in various stages of development. Some are
commercially available, some may emerge over the next 2 to 4 years, and
others are many years from implementation. Table 6 lists the 9 we
describe in this section and their current maturity. Each techniqueís
performance can vary widely, depending on how it is used and its
environment in which it is used.
Table 6: Emerging Biometric Technologies and Their Maturity:
Technology: Vein scan; How it works: Captures images of blood vessel
patterns; Maturity: Commercially available.
Technology: Facial thermography; How it works: Infrared camera detects
heat patterns created by the branching of blood vessels and emitted
from the skin; Maturity: Initial commercialization attempts failed
because of high cost.
Technology: DNA matching; How it works: Compares actual samples of DNA
rather than templates generated from samples; Maturity: Many years
from implementation.
Technology: Odor sensing; How it works: Captures the volatile chemicals
that the skin’s pores emit; Maturity: Years away from commercial
release.
Technology: Blood pulse measurement; How it works: Infrared sensors
measure blood pulse on a finger; Maturity: Experimental.
Technology: Skin pattern recognition; How it works: Extracts distinct
optical patterns by spectroscopic measurement of light scattered by the
skin; Maturity: Emerging.
Technology: Nailbed identification; How it works: An interferometer
detects phase changes in back-scattered light shone on the fingernail;
reconstructs distinct dimensions of the nailbed and generates a one-
dimensional map; Maturity: Emerging.
Technology: Gait recognition; How it works: Captures a sequence of
images to derive and analyze motion characteristics; Maturity:
Emerging; requires further development.
Technology: Ear shape recognition; How it works: Is based on
distinctive ear shape and the structure of the cartilaginous,
projecting portion of the outer ear; Maturity: Still a research
topic.
Source: GAO analysis.
[End of table]
Vein scan biometric technology can automatically identify a person from
the patterns of the blood vessels in the back of the hand. The
technology uses near-infrared light to detect vein vessel patterns.
Vein patterns are distinctive between twins and even between a person’s
left and right hand. Developed before birth, they are highly stable and
robust, changing throughout one’s life only in overall size. The
technology is not intrusive, and works even if the hand is not clean.
It is commercially available.
Facial thermography detects heat patterns created by the branching of
blood vessels and emitted from the skin. These patterns, called
thermograms, are highly distinctive. Even identical twins have
different thermograms. Developed in the mid-1990s, thermography works
much like facial recognition, except that an infrared camera is used to
capture the images. The advantages of facial thermography over other
biometric technologies are that it is not intrusive--no physical
contact is required--every living person presents a usable image, and
the image can be collected on the fly. Also, unlike visible light
systems, infrared systems work accurately even in dim light or total
darkness. Although identification systems using facial thermograms were
undertaken in 1997, the effort was suspended because of the cost of
manufacturing the system.
DNA matching is a type of biometric in the sense that it uses a
physiological characteristic for personal identification. It is
considered to be the “ultimate” biometric technology in that it can
produce proof-positive identification of a person, except in the case
of identical twins. However, DNA differs from standard biometrics in
several ways. It compares actual samples rather than templates
generated from samples. Also, because not all stages of DNA comparison
are automated, the comparison cannot be made in real time. DNA’s use
for identification is currently limited to forensic applications. The
technology is many years away from any other kind of implementation and
will be very intrusive.
Researchers are investigating a biometric technology that can
distinguish and measure body odor. This technology would use an odor-
sensing instrument (an electronic “nose”) to capture the volatile
chemicals that skin pores all over the body emit to make up a person’s
smell. Although distinguishing one person from another by odor may
eventually be feasible, the fact that personal habits such as the use
of deodorants and perfumes, diet, and medication influence human body
odor renders the development of this technology quite complex.
Blood pulse biometrics measure the blood pulse on a finger with
infrared sensors. This technology is still experimental and has a high
false match rate, making it impractical for personal identification.
The exact composition of all the skin elements is distinctive to each
person. For example, skin layers differ in thickness, the interfaces
between the layers have different undulations, pigmentation differs,
collagen fibers and other proteins differ in density, and the capillary
beds have distinct densities and locations beneath the skin. Skin
pattern recognition technology measures the characteristic spectrum of
an individual’s skin. A light sensor illuminates a small patch of skin
with a beam of visible and near-infrared light. The light is measured
with a spectroscope after being scattered by the skin. The measurements
are analyzed, and a distinct optical pattern can be extracted.
Nailbed identification technology is based on the distinct
longitudinal, tongue-in-groove spatial arrangement of the epidermal
structure directly beneath the fingernail. This structure is mimicked
in the ridges on the outer surface of the nail. When an interferometer
is used to detect phase changes in back-scattered light shone on the
fingernail, the distinct dimensions of the nailbed can be reconstructed
and a one-dimensional map can be generated.
Gait recognition, recognizing individuals by their distinctive walk,
captures a sequence of images to derive and analyze motion
characteristics. A person’s gait can be hard to disguise because a
person’s musculature essentially limits the variation of motion, and
measuring it requires no contact with the person. However, gait can be
obscured or disguised if the individual, for example, is wearing loose
fitting clothes. Preliminary results have confirmed its potential, but
further development is necessary before its performance, limitations,
and advantages can be fully assessed.
Ear shape recognition is still a research topic. It is based on the
distinctive shape of each person’s ears and the structure of the
largely cartilaginous, projecting portion of the outer ear. Although
ear biometrics appears to be promising, no commercial systems are
available.
Common Applications of Biometric Technologies:
Reduced cost, smaller size, greater accuracy, and greater ease of use
are making biometrics increasingly feasible for international travel
documentation, citizenship identification, automated banking, and
benefits dispersal. Biometrics have either been adopted or are being
contemplated for adoption in dozens of applications, ranging from
modest--providing time and attendance reports for small companies--to
expansive--ensuring the integrity of a registration database of 10
million voters.
Access Control:
Biometric systems have long been used to complement or replace badges
and keys in controlling access to entire facilities or specific areas
within a facility. The entrances to more than half the nuclear power
plants in the United States employ biometric hand geometry systems.
They protected athletes housed in Olympic Village at the 1996 games in
Atlanta.
Recent reductions in the price of biometric hardware have spurred
logical access control applications. Fingerprint, iris, and speaker
recognition are replacing passwords to authenticate individuals
accessing computers and networks. The Office of Legislative Counsel of
the U.S. House of Representatives, for example, is installing an iris
recognition system to protect confidential files and working documents.
Other federal agencies, including the Department of Defense (DOD),
Department of Energy, and Department of Justice, as well as the
intelligence community, are adopting similar technologies.
Fraud Reduction:
Leading banks and other financial service companies are experimenting
with facial, iris, and speaker recognition systems to authenticate ATM
users and to combat credit and debit card fraud. Hand geometry and iris
and facial recognition have been deployed at ATMs in North America,
Europe, and Asia. The JPMorgan Chase Bank allows some customers to
access accounts by speaker recognition. To address concerns about
security and fraud, organizations that offer Internet shopping are also
considering biometric technologies to authorize various types of
transactions.
Biometrics can also be used in monitoring applications. Adding
biometrics to time and attendance processes, for example, helps prevent
hourly employees from punching time cards for their absent friends, a
practice that is estimated to cost employers hundreds of millions of
dollars annually. Biometrics are also being applied to prevent prison
inmates from swapping identities with visitors as they leave prisons.
In addition, biometric technologies are being used in large-scale
identification systems to determine whether applicants are already
enrolled under a different identity. One specific application has been
to prevent individuals from cheating public sector benefits programs by
collecting benefits under multiple identities. A number of states have
made fingerprinting a requirement for registration for welfare and
other types of public aid. Since biometric systems were deployed, the
number of individuals claiming benefits has dropped dramatically in
several states that use such systems. Internationally, in the
Philippines, South Africa, and Spain, programs to streamline or
legitimize issuing government benefits have enrolled millions of
citizens.
Licensing and Voter Applications:
Several states have implemented biometric systems to stop drivers,
particularly truck drivers, from maintaining duplicate licenses or
swapping licenses when crossing state lines or national borders. Large-
scale identification systems are also being used to register voters for
national and local elections to prevent voter fraud. Mexico, for
example, uses facial recognition technology to check voter rolls for
duplicates in its national elections. Brazil, Costa Rica, the Dominican
Republic, Panama, and Italy use fingerprints to verify voters at
polling stations.
Criminal Identification and Surveillance:
Criminal identification is far and away the oldest, most widespread,
large-scale identification use of biometric systems. Automated
fingerprint recognition systems are employed around the world to
identify suspects within local, state, or federal databases of known
offenders. Facial recognition is also being used for criminal
identification, although the technology does not provide the same high
degree of accuracy as the older technology. Employee background checks
are another application of large-scale systems. The governments of
Argentina, China, Nigeria, and Yemen are all planning to implement
biometrics in their national identification programs.
Surveillance is one of the most recent applications of biometric
systems. Although the majority of the major casinos in North America
have deployed facial recognition surveillance systems for some time to
spot known cheaters, systems are now publicly deployed in Newham
Borough, England; Tampa, Florida; and Canada’s Lester B. Pearson
International Airport in Toronto. More recently, they have been used
sporadically at such major events as the 2001 Super Bowl in Tampa,
Florida, and the winter Olympics at Salt Lake City in 2002.
Performance Issues:
Biometric technologies are maturing but are still not widespread or
pervasive because of performance issues, including accuracy, the lack
of applications-dependent evaluations, their potential susceptibility
to deception, the lack of standards, and questions of users’
acceptance. These issues should be kept in mind when considering
biometrics for U.S. border control.
Accuracy:
Biometrics is a very young technology, having only recently reached the
point at which basic matching performance can be acceptably deployed.
It is necessary to analyze several metrics to determine the strengths
and weaknesses of each technology and vendor for a given application.
The three key performance metrics are false match rate (FMR), false
nonmatch rate (FNMR), and failure to enroll rate (FTER). A false match
occurs when a system incorrectly matches an identity, and FMR is the
probability of individuals being wrongly matched. In verification and
positive identification systems, authorized people can be granted
access to facilities or resources as the result of incorrect matches.
In a negative identification system, the result of a false match may be
to deny access. For example, if a new applicant to a public benefits
program is falsely matched with a person previously enrolled in that
program under another identity, the applicant may be denied access to
benefits. The FMR, sometimes called the false positive rate, is
sometimes confused with the false accept rate. The FMR is the
probability of an erroneous match in a single template comparison while
the false accept rate is a system measure that a person is erroneously
matched, combining the results of all template comparisons. For
example, in an identification match, the FMR would be the probability
that the trial template erroneously matches a single selected reference
template. The false accept rate would be the probability that the trial
template erroneously matches any of the reference templates.
A false nonmatch occurs when a system rejects a valid identity, and
FNMR is the probability of valid individuals being wrongly not matched.
In verification and positive identification systems, people can be
denied access to some facility or resource as the result of a system’s
failure to make a correct match. In negative identification systems,
the result of a false nonmatch may be that a person is granted access
to resources to which she should be denied. For example, if a person
who has enrolled in a public benefits program under another identity is
not correctly matched, she will succeed in gaining fraudulent access to
benefits. The FNMR, sometimes called the false negative rate, is
sometimes confused with the false reject rate. The relationship between
FNMR and the false reject rate is similar to the relationship between
the FMR and the false accept rate. The FNMR is the probability of an
erroneous nonmatch for a single template comparison, while the false
reject rate is a system measure that a person is erroneously not
matched, combining the results of all template comparisons.
False matches may occur because there is a high degree of similarity
between two individuals’ characteristics. False nonmatches occur
because there is not a sufficiently strong similarity between an
individual’s enrollment and trial templates, which could be caused by
any number of conditions. For example, an individual’s biometric data
may have changed as a result of aging or injury. If biometric systems
were perfect, both error rates would be zero. However, because
biometric systems cannot identify individuals with 100 percent
accuracy, a trade-off exists between the two.
False match and nonmatch rates are inversely related; they must
therefore always be assessed in tandem, and acceptable risk levels must
be balanced with the disadvantages of inconvenience. For example, in
access control, perfect security would require denying access to
everyone. Conversely, granting access to everyone would result in
denying access to no one. Obviously, neither extreme is reasonable, and
biometric systems must operate somewhere between the two.
For most applications, how much risk one is willing to tolerate is the
overriding factor, which translates into determining the acceptable
FMR. The greater the risk entailed by a false match, the lower the
tolerable FMR. For example, an application that controlled access to a
secure area would require that the FMR be set low, which would result
in a high FNMR. However, an application that controlled access to a
bank’s ATM might have to sacrifice some degree of security and set a
higher FMR (and hence a lower FNMR) to avoid the risk of irritating
legitimate customers by wrongly rejecting them. This is displayed in
figure 11.
Figure 11: The General Relationship between FMR and FNMR:
Note: Equal error rate is the point at which FMR equals FNMR.
Source: GAO.
[See PDF for image]
[End of figure]
As figure 11 shows, selecting a lower FMR increases the FNMR. Perfect
security would require setting the FMR to 0, in which case the FNMR
would be 1. At the other extreme, setting the FNMR to 0 would result in
an FMR of 1.
The expectations regarding FMR and FNMR are very different for
verification and identification systems. In a verification system, a
user is checked against one or a few reference templates to confirm the
user’s claimed identity. A much higher standard is required for
identification systems where checks are made against all reference
templates in the database. Consequently, a much lower FMR is required
for a large-scale positive identification system than for a similar
size verification system, simply because even a small percentage of
false matches for a system that performed billions of comparisons a day
would overwhelm the resources dedicated to investigating positive
matches. The larger the identification database, the lower the false
match rate needs to be to maintain the number of false positives at a
manageable amount.
Vendors often use equal error rate (EER), an additional metric derived
from FMR and FNMR, to describe the accuracy of their biometric systems.
EER refers to the point at which FMR equals FNMR (see figure 11).
Setting a system’s threshold at its EER will result in the probability
that a person is falsely matched equaling the probability that a person
is falsely not matched. However, this statistic tends to oversimplify
the balance between FMR and FNMR, because in few real-world
applications is the need for security identical to the need for
convenience.
FTER is a biometric system’s third critical accuracy metric. FTER
measures the probability that a person will be unable to enroll.
Failure to enroll (FTE) may stem from an insufficiently distinctive
biometric sample or from a system design that makes it difficult to
provide consistent biometric data. The fingerprints of people who work
extensively at manual labor are often too worn to be captured. A high
percentage of people are unable to enroll in retina recognition systems
because of the precision such systems require. People who are mute
cannot use voice systems, and people lacking fingers or hands from
congenital disease, surgery, or injury cannot use fingerprint or hand
geometry systems. Although between 1 and 3 percent of the general
public does not have the body part required for using any one biometric
system, they are normally not counted in a system’s FTER.
Multimodal Biometrics:
Because biometric systems based solely on a single biometric may not
always meet performance requirements, the development of systems that
integrate two or more biometrics is emerging as a trend. Multiple
biometrics could be two types of biometrics, such as combining facial
and iris recognition. Multiple biometrics could also involve multiple
instances of a single biometric, such as 1, 2, or 10 fingerprints, 2
hands, and 2 eyes. One prototype system integrates fingerprint and
facial recognition technologies to improve identification. A
commercially available system combines face, lip movement, and speaker
recognition to control access to physical structures and small office
computer networks. Depending on the application, both systems can
operate for either verification or identification. Experimental results
have demonstrated that the identities established by systems that use
more than one biometric could be more reliable, be applied to large
target populations, and improve response time.
The Lack of Applications-Dependent Evaluations:
Biometric companies have primarily been concerned with testing the
accuracy of their technologies in highly controlled environments, using
static or artificially generated templates, images, and data. The
results of their tests, as quoted by vendors, are quite extraordinary,
such as claims of FMRs of 1 in 100,000, 1 in a billion, or even 1 in
1078 and FNMRs in the vicinity of 1 percent, 0.1 percent, and 0.01
percent. However, because the performance of a technology depends
greatly on how and where it is deployed, such numbers have proven to be
far more impressive than real-life performance data.
Until recently, there was no set methodology for testing the same
technologies in different applications. A recently developed
methodology uses a three-step evaluation protocol: a technology
evaluation, followed by a scenario evaluation and an operational
evaluation of biometric systems.[Footnote 16] Each of the methodology’s
three types of evaluation requires a different protocol and produces
different results. A technology evaluation compares competing
algorithms from a single technology to identify the most promising
approaches. A scenario evaluation tests overall system performance for
a class of applications under conditions that model real-world
applications. An operational evaluation measures performance for a
specific biometric system for a specific application in the actual
operating environment with actual users of the system. The Facial
Recognition Vendor Test 2000 (FRVT 2000), which assessed the
capabilities of commercially available facial recognition systems, was
based on this evaluation methodology and included elements of
technology and scenario evaluations.[Footnote 17]
Studies by respected organizations in the United States and the United
Kingdom have provided a number of effective measures of the actual
performance of biometric systems in different real-world environments.
Sandia National Laboratories’ 1996 evaluation of an iris recognition
identification system in an access-control environment included FNMR-
FMR results. The International Biometric Group (IBG) has since 1999
conducted side-by-side comparative performance testing of leading
biometric identity verification systems under real-world operating
conditions. Test results have included FNMRs, FMRs, and FTERs for
fingerprint, iris, facial, voice, keystroke, and signature systems. In
2000, the British National Physical Laboratory (NPL) tested biometric
identity verification systems, including fingerprint, hand, iris,
facial, voice, and vein, in real-world environments.[Footnote 18]
FNMRs, FMRs, and FTERs were reported. The U.S. Army Research
Laboratory’s pilot study of iris and facial recognition systems in
2000-01 reported performance results that included error rates as well
as user perception and acceptability. Table 7 lists the significant
independent tests and their results since 1991.
Table 7: Independent Biometric Test Results, 1991-2002:
Test name: Test of Biometric Technologies; Who conducted: Sandia
National Laboratories; Date: 1991; Technology: Fingerprint, hand,
retina, signature, speaker; Type: Technology; Performance measure: FMR,
FNMR, accept time.
Test name: Hand Geometry Field Application; Who conducted: Sandia
National Laboratories; Date: 1995; Technology: Hand; Type: Scenario;
Performance measure: Varied lighting, maintenance.
Test name: IriScan Prototype Identifier; Who conducted: Sandia
National; Laboratories; Date: 1996; Technology: Iris; Type: Scenario;
Performance measure: FMR, FNMR, enrollment time, transaction time.
Test name: Speaker Recognition Evaluations; Who conducted: National
Institute of Standards and Technology; Date: 1996 to present;
Technology: Speaker; Type: Technology; Performance measure: Handset
variation, test segment duration, speaker tracking, 1-speaker and 2-
speaker, cellular data.
Test name: Philippine AFIS Benchmark Test; Who conducted: National
Biometric Test Center; Date: 1997; Technology: Fingerprint; Type:
Technology; Performance measure: FMR, FNMR.
Test name: SENTRI Test; Who conducted: INS; Date: 1998; Technology:
Facial, speaker; Type: Scenario; Performance measure: FNMR.
Test name: Comparative Biometric Testing; Who conducted: IBG; Date:
1999 to present; Technology: Facial, fingerprint, iris, keystroke,
signature, speaker; Type: Scenario; Performance measure: FMR, FNMR,
enrollment rate, ergonomics, ease of use, temporal.
Test name: Biometric Product Testing; Who conducted: NPL; Date: 2000;
Technology: Facial, fingerprint, hand, iris, vein, speaker; Type:
Scenario; Performance measure: Failure to enroll and acquire, FMR,
FNMR, transaction time, male versus female.
Test name: FRVT 2000; Who conducted: DOD, National Institute of
Justice, NIST; Date: 2000; Technology: Facial; Type: Scenario,
technology; Performance measure: Probability of identity, probability
of verification, distance, temporal, expressions, pose, resolution,
media.
Test name: Fingerprint Verification Competition 2000; Who conducted:
University of Bologna, Michigan State University, San Jose State
University; Date: 2000; Technology: Fingerprint; Type: Technology;
Performance measure: Enrollment time, matching time, EER.
Test name: Facial Recognition Technology; Who conducted: Department of
State, Bureau of Consular Affairs; Date: 2001; Technology: Facial;
Type: Technology; Performance measure: FNMR.
Test name: Personnel Identification Pilot Study; Who conducted: Army
Research Laboratory; Date: 2001; Technology: Facial, iris; Type:
Operational; Performance measure: FMR, FNMR.
Test name: Fingerprint Identification Device; Who conducted: Federal
Aviation Administration and Safe Skies; Date: 2001; Technology:
Fingerprint; Type: Operational; Performance measure: FMR, FNMR,
enrollment and transit time, abnormal conditions (oil, grease, powder,
injury, moist or dry skin, offset angle, contact pressure,
backlighting, attempts to defeat).
Test name: Hand Geometry Identification Device; Who conducted: FAA and
Safe Skies; Date: 2001; Technology: Hand; Type: Operational;
Performance measure: FMR, FNMR, enrollment and transit time, abnormal
conditions (rings, injuries, backlighting, attempts to defeat).
Test name: Facial Recognition Device; Who conducted: FAA and Safe
Skies; Date: 2002; Technology: Facial; Type: Operational; Performance
measure: FMR, FNMR, enrollment and transit time, abnormal conditions
(glasses, facial hair, backlighting, bandages, false photograph).
Test name: Iris Recognition Device; Who conducted: FAA and Safe Skies;
Date: 2002; Technology: Iris; Type: Operational; Performance measure:
FTE, FNMR, enrollment and transit times.
Test name: Biometric Security Test; Who conducted: c’t Magazine; Date:
2002; Technology: Iris, fingerprint, facial; Type: Technology;
Performance measure: Attempts to defeat.
Test name: Fingerprint Verification Competition 2002; Who conducted:
University of Bologna, Michigan State University, San Jose State
University; Date: 2002; Technology: Fingerprint; Type: Technology;
Performance measure: Enrollment time, matching time, EER, FMR.
Test name: Facial Recognition Vendor Test 2002; Who conducted: 15
agencies and organizations, including DOD, National Institute of
Justice, and NIST; Date: In progress; Technology: Facial; Type:
Scenario, technology; Performance measure: In progress.
Source: GAO analysis of independent biometric test results.
[End of table]
A rash of new tests of biometric systems has recently been initiated.
The results are likely to provide more sound means of evaluating the
strengths and weaknesses of the different technologies and vendors’
products.
Susceptibility to Deception:
Can biometric systems be defeated? Many vendors claim that their
systems cannot be fooled because they are able to detect whether or not
an individual’s presented biometric is a live sample. Many biometric
devices can, in principle, determine whether a live characteristic is
being presented. Some fingerprint systems, for example, test for
“liveness” by relying on the unique conductive nature of live fingers.
Others measure blood flow or ensure that the ridges at the periphery of
a print are arrayed the same as in normal finger placement.
Although hand geometry systems do not actually check for a live
biometric, fingers have to be positioned so that they put pressure on
the correct pegs. Facial recognition checks for “liveness” by requiring
users to change their facial expression--by blinking their eyes or
smiling, for example--in order to successfully generate a template.
With iris recognition, light shone on the eye can be varied for
recording pupil dilation. Some speaker recognition systems can generate
a random sequence of numbers for each verification to ensure that a
recorded voice is not being played back. Moreover, low-fidelity
recording devices are generally not able to capture the high and low
frequencies necessary for verification.
Nevertheless, recent tests are casting doubt on vendors’ claims
regarding the maturity and security of their technologies. German
technology magazine c’t carried out tests on 11 commercially available
biometric systems used to control access to computers.[Footnote 19]
Facial, fingerprint, and iris recognition systems were defeated by
testers using photographs and videos, reactivated latent images, and
forgeries.
They spoofed one fingerprint recognition system by reactivating latent
fingerprints left on the surface of its capacitive sensor, simply by
breathing on the prints, placing a thin-walled water-filled plastic bag
on the sensor’s surface, and dusting the prints with graphite powder
and gently applying pressure to an adhesive film stretched over them.
They outfoxed another fingerprint recognition system whose optical
scanner required that an object be resting on its surface by creating a
silicone copy of a fingerprint of an enrolled person from a candle wax
mold.
They spoofed an iris recognition system by using a high-resolution
printed picture of an enrolled person’s iris with a live person’s pupil
shining through a miniature hole cut out of the picture’s pupil. They
beat a well-known facial recognition system by using a laptop computer
to play back “live” images of an enrolled person to the camera. They
fooled another facial system by holding up a photograph of an enrolled
person.
In another recent test, an engineering professor demonstrated how 11
commercially available fingerprint biometric systems could all be
fooled with a molded gelatin finger. A further recent test revealed
that biometric systems could be defeated by cracking the code of the
templates stored inside them. Using manufactured images that displayed
the characteristics required by the matching software, the tester
defeated commercially available fingerprint and retina recognition
systems. These tests certainly call into question the claim that
biometric systems cannot be deceived.
The Development of Biometric Standards:
Identifying, exchanging, and integrating information from different and
perhaps unfamiliar sources and functions are essential to an effective
biometrics application. Without predefined standards, system
developers may need to define in detail the precise steps for
exchanging information, a potentially complex, time-consuming, and
expensive process. The risks associated with not adopting standards for
a system are significant, because of the length of time the system must
remain operational and the rapid pace of technological change. The
proprietary technology of choice today may not be cost-effective or
even supported tomorrow.
Attempts to standardize biometrics are under way in various areas, such
as the mechanics of image capture, the accuracy of data as they are
extracted, and device interoperability. However, the majority of
biometric devices and their software are still proprietary in many
respects. For example, the method for extracting features from a
biometric sample such as a fingerprint differs among most, if not all,
vendors. Templates containing biometric data, time stamps, encryption
features, and device information are also not standard. Devices from
company A do not necessarily work compatibly with devices from
companies B and C. Incompatibility is also an issue for communication
between devices and host computers, since programs are developed from
vendors’ software development kits. Each vendor designs a software
development kit for its own products, so that the programs developed
for one vendor’s product generally cannot be used with another vendor’s
products.
The biometrics community does employ several standards, however. We
list seven:
* The wavelet scalar quantization (WSQ) gray-scale fingerprint image
compression algorithm is the standard for exchanging fingerprint images
within the criminal justice community. WSQ defines a class of encoders
and a single decoder with sufficient generality to decode compressed
image data produced by any compliant encoder.
* The National Institute of Standards and Technology (NIST) issued the
Common Biometric Exchange File Format (CBEFF) on January 3, 2001. The
standard is designed to (1) facilitate biometric data interchange
between different system components or between systems, (2) promote the
interoperability of biometric-based application programs and systems,
(3) provide forward compatibility for technology improvements, and (4)
simplify the integration of software and hardware from different
vendors.
* BioAPI™ Consortium has developed BioAPI, a specification for a high-
level generic biometric authentication model suited for any form of
biometric technology. It covers the basic functions of enrollment,
verification, and identification and includes a database interface to
allow a biometric service provider to manage the identification
population for optimum performance. It also provides methods that allow
an application to manage the capture of samples on a client and the
enrollment, verification, and identification on a server. While it does
not define security requirements for biometric applications and service
providers, it does explain how the application programming interface
(API) is intended to support good security practices.
* In May 2000, Microsoft Corp. and I/O Software Inc. announced that
they would cooperate to foster the widespread growth of biometrics
through the integration of biometric authentication technology in
future versions of the Microsoft Windows operating system. The
resulting biometric application programming interface (BAPI) is
expected to define a standard software protocol and API for
communication between software applications and biometric devices
running on Microsoft Windows platforms. BAPI is expected to standardize
the way different biometric devices, such as fingerprint scanners and
facial recognition devices, communicate with the application software
that uses them. It is also expected to be a comprehensively modular
architecture that covers a variety of hardware interfaces, encryption,
biometric algorithms, and application interfaces.
* Established by the Joint Photographic Experts Group (JPEG), the JPEG
specification can be used in facial recognition systems.[Footnote 20]
It describes an image compression system that allows great flexibility
not only for the compression of images but also for access to the
compressed data. The specification is designed for compressing either
full-color or gray-scale images of natural, real-world scenes, although
the decompressed images are not quite the same as the originals. JPEG’s
algorithm is designed to exploit known limitations of the eye, notably
that the eye perceives small color changes less accurately than small
changes in brightness. This is a limitation if an application uses a
JPEG image to machine-analyze images, since the small errors JPEG
introduces may be a problem even if they are invisible to the
eye.[Footnote 21]
* In February 2001, the American National Standards Institute (ANSI)
approved the Biometric Information Management and Security (ANSI X9.84-
2001) standard. This standard specifies the minimum security
requirements for effective management of biometric data. The standard
defines message formats for carrying biometric data in a secure way and
also defines many concepts and procedures for the creation of a secure
biometric system. The message formats specified by X9.84 are more
flexible than the BioAPI data format because they allow a richer
description of the biometric data and are extensible. Moreover, the
X9.84 standard addresses the issue of integrity and privacy of
biometric samples and templates in a flexible way, by providing several
different security mechanisms among which the user can choose.
* The American Association for Motor Vehicle Administration (AAMVA)
included a format for fingerprint minutiae data in its Driver License
and Identification (DL/ID-2000) Standard, which provides a uniform
means to identify issuers and holders of driver’s license cards within
the United States and Canada. The standard describes required and
optional data elements to be placed on a driver’s license card.
Required elements include the name, address, and photograph of the
driver. While fingerprints are classified as an optional data element,
the standard describes a way to record minutiae data based on the type,
position, angle, and quality of the minutiae point. A field is also
provided for recording vendor-specific data about the fingerprint. The
biometric portions of this standard are compatible with the BioAPI
specification and CBEFF.
Figure 12 shows the relationship of these standards to the individual
functional components necessary to make up a comprehensive biometric
system.
Figure 12: Standards for Biometric Systems:
Note: AAMVA = The American Association for Motor Vehicle
Administration’s Driver License and Identification (DL/ID-2000)
Standard. WSQ = wavelet scalar quantization. JPEG = a specification of
the Joint Photographic Experts Group. CBEFF = the National Institute of
Standards and Technology’s Common Biometric Exchange File Format.
BioAPI = the BioAPI™ Consortium’s BioAPI specification for a high-level
generic biometric authentication model. BAPI = biometric application
programming interface. X9.84 = the American National Standards
Institute’s ANSI X9.84-2001 standard.
Source: GAO analysis of biometric standards.
[See PDF for image]
[End of figure]
Although a number of such standards have been developed, those required
for integrating all vendorsí products are not yet available for all
types of applications. For example, the standard for how to store
biometric templates is not yet available. While the AAMVA standard
describes a common way to record fingerprint minutiae, it still allows
for including data in a vendor-specific format. Biometric templates,
which capture only the critical data needed to make a positive
confirmation, are small and can be stored on smart cards, but the
template one vendor uses cannot generally be used by another for some
biometric technologies, such as fingerprints. Working with other
groups--the Biometric Consortium, the BioAPI™ Consortium, the Biometric
Foundation, and the International Biometric Industry Association
(IBIA), among othersóthe InterNational Committee for Information
Technology Standards (INCITS) is reviewing draft project proposals for
standardizing biometric templates[Footnote 22] Without a biometric
template standard, it could be necessary to store the larger biometric
sample as well as the biometric template for each user during
enrollment. Such a standard would also allow for changes to the
biometric capture device (i.e., a change in equipment) or algorithms
without reenrolling all system users.
In November 2001, the executive board of INCITS established Technical
Committee M1, Biometrics, for the rapid development and approval of
formal national and international generic biometric standards. The goal
of M1’s work is to accelerate the deployment of significantly better,
standards-based security solutions for purposes such as homeland
defense and the prevention of identity theft, as well as other
government and commercial applications based on biometric personal
authentication. INCITS approved the BioAPI Specification, Version 1.1,
as the ANSI/INCITS 358-2002--Information technology--BioAPI
Specification, on February 13, 2002. It is now considering CBEFF for
fast track processing in the near future. Additionally, M1 is now
reviewing contributions of draft project proposals for the
standardization of biometric templates. M1 is also anticipating
contributions of draft project proposals for the development of
application profiles and implementation profiles, as required for
homeland defense applications, for example, as well as for financial
services, health care, civil aviation, and the use of biometrics for
preventing identity theft.
User Acceptance:
The overall success of biometric systems depends on how well people who
use biometric systems accept them and how easy they are to use. If
enrollment and matching procedures are too cumbersome, data-capture
errors can lead to high error rates, including FMRs and FNMRs.
Moreover, if people perceive a technology as being too intrusive, their
lack of cooperation or even resistance can affect a system’s
performance. Privacy concerns may be a barrier to the widespread
adoption of biometric technologies.
Some people find biometric technologies difficult, if not impossible,
to use. Still others resist biometrics in general as intrusive,
inherently offensive, or just uncomfortable to use. They consider it to
be physically intrusive to have to pause and position themselves in
relation to a capture device while presenting their biometric. Or they
even consider being required to verify their identity through a
hardware device rather than a human interaction to be too impersonal.
Fingerprint systems, in particular, face even stronger opposition
because of their association with criminal applications.
Some biometric devices also carry concerns about hygiene. For example,
some people object to hand geometry scanners because they do not like
to put their palms on the same surfaces where many other people have
placed theirs. Other people fear that devices that scan particularly
sensitive areas of the body, such as the eyes, will damage them.
Generally, the less intrusive people perceive a biometric to be, the
more readily they accept it.
Much public concern about biometrics arises from fears that the
technology can be misused to invade or violate personal privacy. Among
these fears are that biometric information will be:
* gathered without permission or knowledge or without explicitly
defined purposes,
* used for a variety of purposes other than those for which it was
originally acquired (sometimes called “function creep”),
* shared without explicit permission, or:
* used to track people across multiple databases to amalgamate
information for the purpose of surveillance or social control.
Technologies Viable for U.S. Border Control:
No biometric technology is best for every situation, but it is possible
to determine which technologies are more accurate and easier to deploy
for border control applications. Last year, the International Civil
Aviation Organization (ICAO) assessed fingerprint, facial, and iris
recognition as the top three biometrics meeting the requirements for
biometric identification in machine-readable travel documents. Table 8
summarizes the performance characteristics of the four technologies
that are most viable for border control. The performance factors such
as error rates, template sizes, and transaction times can vary greatly,
depending on whether the biometric technology is being used for 1:1
verification or 1:N identification.
Table 8: Four Viable Biometric Technologies Compared:
Characteristic: False nonmatch rate (FNMR); Facial: 3.3-70%;
Fingerprint: 0.2-36%; Iris: 1.9-6%; Hand: 0-5%.
Characteristic: False match rate (FMR); Facial: 0.3-5%; Fingerprint: 0-
8%; Iris: Less than 1%; Hand: 0-2.1%.
Characteristic: User acceptance issues; Facial: Potential for privacy
misuse; Fingerprint: Associated with law enforcement; hygiene concerns;
Iris: User resistance; usage difficulty; Hand: Hygiene concerns.
Characteristic: Enrollment time; Facial: About 3 minutes; Fingerprint:
About 3 minutes 30 seconds; Iris: About 2 minutes 15 seconds; Hand:
About 1 minute.
Characteristic: Transaction time; Facial: 10 seconds; Fingerprint: 9-19
seconds; Iris: 12 seconds; Hand: 6-10 seconds.
Characteristic: Template size; Facial: 84-1,300 bytes; Fingerprint:
250-1,000 bytes; Iris: 512 bytes; Hand: 9 bytes.
Characteristic: Number of major vendors; Facial: 2; Fingerprint: More
than 25; Iris: 1; Hand: 1.
Characteristic: Cost of device; Facial: Moderate; Fingerprint: Low;
Iris: High; Hand: Moderate.
Characteristic: Factors affecting performance; Facial: Lighting,
orientation of face, or sunglasses; Fingerprint: Dirty, dry, or worn
fingertips; Iris: Poor eyesight, glare, or reflections; Hand: Hand
injuries, arthritis, or swelling.
Characteristic: Demonstrated vulnerability; Facial: Notebook computer
with digital photo or false photographs; Fingerprint: Artificial
fingers or reactivated latent prints; Iris: High-resolution picture of
iris; Hand: None.
Characteristic: Variability with age; Facial: Affected by aging;
Fingerprint: Stable; Iris: Stable; Hand: Stable.
Characteristic: Commercially available; Facial: 1990s; Fingerprint:
1970s; Iris: 1997; Hand: 1970s.
Source: GAO analysis.
[End of table]
Recognizing that technology performance is least supported by
substantive real-life test data, ICAO has asked its member states to
perform scenario and operational evaluations with fingerprint, facial,
and iris recognition technologies. It plans to evaluate the results of
the testing and to select one or two biometric technologies for
standardization in machine-readable travel documents.
Retina, speaker, and signature recognition have certain drawbacks that
make them impractical for border control. Retina recognition is
considered too intrusive because the systems require users to position
their eyes very close to devices, which some users find very
discomforting. Also, because using these systems requires prolonged
effort and concentration, a high percentage of people are unable to
enroll. Speaker recognition was piloted for border control use but has
been found unreliable. In fact, this technology has several
disadvantages. Speech quality is affected by a person’s health, such as
a cold or sore throat, stress, and emotions. In addition, speaker
recognition systems do not perform well in noisy environments because
surrounding noise interferes with their ability to extract the
distinctive characteristics of an individual’s speech. Moreover,
because speaker recognition technologies have large templates, they
require longer processing times and use more storage. Finally, the
voice does not appear to be sufficiently distinctive to permit
identifying one individual within a large database of identities.
Signature recognition has a high FNMR because most people do not sign
their names consistently. Since the resulting nonmatches would require
many secondary inspections, signature recognition is probably not
practical for border control. Moreover, travelers from some countries
may not be accustomed to signing their names, to writing their names in
roman letters, or to writing at all.
Facial Recognition Performance:
The two leading vendors of facial recognition technology have their own
methods for analyzing a facial image and converting it to a digital
template. Enrolling in a facial recognition system seems relatively
easy. Results from Britain’s NPL product testing produced a 0 percent
FTER. But the performance of facial recognition technology appears to
depend on the operational setting and specific application. Pilots of
facial recognition surveillance at airports have resulted in FMRs
between 0.3 percent and 5 percent and FNMRs between 5 percent and 45
percent. In a State Department Bureau of Consular Affairs test
involving data sets of 10,000 to 100,000 images, fewer than 30 percent
of intentionally seeded duplicate images were correctly matched--an
FNMR of around 70 percent. Although facial recognition performs much
worse than fingerprint and iris recognition, it remains attractive
because facial images are used in a wide variety of identification
documents.
The performance of facial recognition technology is affected greatly by
environmental factors, especially lighting conditions. Variations in
camera performance and facial position, expression, and features
(hairstyle, eyeglasses, beards) further affect performance. Accurate
image alignment is necessary for the leading facial recognition
algorithms, which rely on identifying eye positions. One algorithm is
rendered ineffective when a person tilts the head from a direct frontal
pose to more than about 25 degrees horizontally or more than about 15
degrees vertically.
Performance is also degraded significantly as the stored facial
recognition template ages. When a match was attempted a year after
initial enrollment, some facial recognition technologies correctly
verified as little as 41 percent of the faces; this translates to an
FNMR of 59 percent.
In tests conducted by the Federal Aviation Administration (FAA) from
November 2001 through January 2002, the average enrollment time was 3
minutes and 2 seconds. When the device was in use, the time increased
by approximately 9.5 seconds to pass through a door.
Facial recognition systems can be quite costly. A facial recognition
server controlling access at a facility with up to 30,000 persons would
cost about $15,000. Depending on the number of entrances installed with
facial recognition devices, the cost of software licenses would range
from about $650 to $4,500. As the size of the database and the number
of attempted matches increased, so would a system’s cost. In addition
to the server and software licenses, a live-scan facial recognition
surveillance system includes closed-circuit television (CCTV)
surveillance. A fully integrated CCTV system for physical access
surveillance can cost from $10,000 to $200,000, depending on the size
of the entrance and the degree of monitoring required. For additional
CCTV equipment, cameras can cost between $125 and $500. Cameras with
advanced features can cost up to $2,300.
Although users typically consider facial recognition technology less
intrusive than other biometric technologies, some are concerned that it
can track them without their consent. Successful attempts to spoof
live-scan facial recognition systems would not work in a border
inspection where a border inspector is monitoring the equipment. (See
appendix IV for more details on facial recognition technology.):
Fingerprint Recognition Performance:
The majority of the leading vendors of fingerprint recognition
technology sell scanners based on optical or silicon technology. The
companies’ techniques for converting a fingerprint image to a digital
template are proprietary. The basic performance of fingerprint
recognition technology depends on the type of application and the type
of scanner capturing the fingerprint image. For about 2 to 5 percent of
people, fingerprints cannot be captured because they are dirty or have
become dry or worn from age, extensive manual labor, or exposure to
corrosive chemicals.
The time to enroll a person in a fingerprint recognition system depends
on the number of fingerprints used and the details of the enrollment
process. For example, in FAA testing, enrollment averaged 3 minutes and
30 seconds. In contrast, in the first 7 months of the CANPASS-Airport
pilot at Vancouver International Airport, roughly 1,000 travelers
registered in an average of 15 minutes.
The time required to match a fingerprint and verify an individual’s
identity can vary from sensor to sensor and from one application to
another. For example, in FAA testing, users took an average of about 10
seconds to pass through the door, compared to an average of about 2
seconds before the device was installed. NPL found that an optical
fingerprint system had a mean transaction time of 9 seconds, while a
silicon sensor system had a time of 19 seconds.
A fingerprint recognition device can typically be set for different
security levels, with higher FMRs at lower levels of security. For
example, the FBI’s Integrated Automated Fingerprint Identification
System (IAFIS) has a 1.5 x 10-12 FMR with an FNMR between 1.5 and 2
percent. In contrast, FAA testing from September 2000 to February 2001
produced FNMRs that ranged from about 6 percent to about 17 percent for
closely controlled test subjects. For actual airport employees
accessing the door in a less-controlled environment, the FNMR ranged
from about 18 percent to about 36 percent. The FMR ranged from 0
percent at the highest security level to about 8 percent at the lowest
security level.
The cost of each fingerprint reader designed for physical access
control ranges from about $1,000 to about $3,000. Software licenses are
listed for about $4 per enrolled user. For smaller fingerprint
scanners, maintenance is between 15 percent and 18 percent of cost. A
larger live-scan 10-print fingerprint reader costs about $25,000.
Maintenance of the larger machines is approximately 14 percent of the
cost of the reader.
Because law enforcement agencies have used fingerprints to identify
criminals, the technology’s similarity to forensic fingerprinting
causes some people discomfort. Privacy advocates fear that fingerprint
recognition systems may collect data for one purpose but then use the
data to track people’s private activities or for other purposes. Also,
people may have hygiene issues with having to touch the plate of the
scanner that many other people have touched.
The fingerprint recognition technologies have been shown to be
susceptible to deception, but this can be prevented if fingerprints are
scanned in a monitored environment. (See appendix II for more details
on fingerprint recognition technology.):
Iris Recognition Performance:
The sole provider of iris recognition technology developed the first
commercially viable system in 1997. Enrolling in an iris recognition
system requires a person to gaze steadily at a camera for a short time.
Some people find this difficult to do and therefore fail to enroll. The
FTER in an NPL test was 0.5 percent. While iris technology does not
require touching any device, some people resist the scanning of their
eyes.
However, iris recognition technology has good performance
characteristics. Testing at the U.S. Army Research Laboratory resulted
in FMRs of less than 1 percent and an FNMR of 6 percent. In 1996,
Sandia National Laboratories, testing a prototype iris recognition
system, found that the FNMR was 10.2 percent and the average enrollment
time was 2 minutes and 15 seconds. In a more recent test by NPL, the
iris recognition system showed an FMR of 0 percent, FNMR of 0.2
percent, and a mean transaction time of 12 seconds.
Colored or bifocal contact lenses can affect system performance, as can
exceptionally strong glasses. Poor eyesight may also hinder some people
from lining their eyes up with the camera. Glare and reflection can
also cause interferences. People with glaucoma or cataracts may not be
reliably identified by iris recognition systems.
Iris recognition systems cost approximately $2,000 for physical access
units. The overall cost of a comprehensive iris recognition system
would be much higher.
Certain iris recognition devices have been spoofed by holding up to the
camera a high-resolution picture of an iris with a tiny hole cut out to
allow the pupil of a live eye to shine through. Such deceptions could
be prevented at a border inspection station monitored by inspectors.
(See appendix V for more details on iris recognition technology.):
Hand Geometry Performance:
Hand geometry, in use for almost 30 years, is a relatively mature
biometric technology with only one primary vendor. The shape and size
of our hands are reasonably diverse but not highly distinctive. Thus,
hand geometry is not suitable for identifying one individual among
many. Because border control applications require checking for
duplicate enrollment before travel documents are issued, hand geometry
is not viable for that aspect of border control. However, hand geometry
can be used to verify identity after performing the enrollment checks
with a more distinctive biometric technology.
Typically, everyone with a hand can enroll in a system--FTER is 0
percent. In FAA testing from March through July 2001, time for
enrolling with a hand geometry device averaged 57 seconds. The FNMR for
airport employees using the system ranged from approximately 5 percent
at a high security-level setting to less than 1 percent at a low
security-level setting. The FMR ranged from 0 percent at the high
security-level setting to about 2 percent at the low security-level
setting. The FAA test also found that using the hand geometry device
increased the time to open a door by 6 seconds. However, an NPL test
found a mean transaction time of 10 seconds for a hand geometry system.
The performance of hand geometry technology is affected by jewelry,
arthritis, water retention, and swelling from pregnancy or hand injury.
Hand geometry devices generally cost between $2,000 and $4,000. Staff
training is minimal, with no personnel costs, since most hand geometry
devices are unattended. It is considered easy to use, although a
minimal amount of training may be required for individuals to learn to
align their hands in the device. Hand geometry is generally perceived
as not intrusive, not threatening, and not invasive, and it bears very
little of the stigma of other biometric technologies. (See appendix III
for more details on hand geometry technology.):
Biometric Technology Applied to Border Control Today:
Applying biometric technologies to customs and immigration in the
United States and other nations is growing rapidly. Fingerprint,
facial, and iris recognition and hand geometry systems are being
planned or have been implemented to different degrees, ranging from
piloted tests to operational usage. We summarize some of these projects
and their applications, particularly to trusted air travel, land border
crossing, obtaining and verifying travel documents, and surveillance.
Trusted Air Travel:
Trusted air travel programs permit frequent travelers to circumvent
customs procedures and immigration lines. To participate, users undergo
a background screening and registration. Once enrolled, they can
present their biometric at an airport kiosk for comparison against a
template stored either on a storage card in their possession or in a
central database.
INSPASS, a pilot program in place since 1993, has more than 35,000
frequent fliers enrolled at nine airports, with more than 250,000
transactions every year. It is open to citizens of the United States,
Canada, Bermuda, and visa waiver program countries who travel to the
United States on business three or more times a year.
A hand recognition system similar to INSPASS at Ben Gurion Airport in
Tel Aviv, Israel, since 1998 verifies international travelers and all
Israeli citizens. By April 2002, more than 100,000 travelers had
enrolled in the program, and the system was processing about 50,000
passengers each month.
The Expedited Passenger Processing System (EPPS), based on iris
recognition technology, is being launched at eight major international
airports in Canada. Positive verification against the template at an
airport kiosk entitles travelers to circumvent customs and immigration
lines. The first kiosks are expected to be installed in Vancouver and
Toronto airports in 2003.
In July 2001, frequent travelers on British Airways and Virgin Atlantic
Airways transatlantic flights began clearing immigration through iris
recognition verification at London’s Heathrow Airport. Once registered
and enrolled, landing passengers can proceed directly to special lanes
to verify their identity against an iris template stored in a central
database. If successful, they are issued a ticket that admits them
directly to the United Kingdom.
A program to expedite immigration processing for frequent travelers at
Amsterdam’s Schiphol Airport, the Netherlands, is based on a
combination of iris recognition and smart card technology. About 2,000
smart cards have been issued to nationals from 18 different European
countries.
Land Border Crossing:
In a joint INS and State Department effort to comply with the Illegal
Immigration Reform and Immigrant Responsibility Act of 1996, every
border crossing card issued after April 1, 1998, contains a biometric
identifier and is machine-readable. The cards, also called laser visas,
allow Mexican citizens to enter the United States without being issued
further documentation for the purpose of business or pleasure and stay
for 72 hours or less, going no farther than 25 miles from the border.
If a Mexican citizen plans to stay for longer than 72 hours or to go
more than 25 miles from the border, additional documentation is
required. Consular staff in Mexico photograph applicants and take
prints of the two index fingers and then electronically forward
applicants’ data to INS. Both State and INS conduct checks on each
applicant, and the fingerprints are compared with prints of previously
enrolled individuals to ensure that the applicant is not applying for
multiple cards under different names. The cards store a holder’s
identifying information along with a digital image of his or her
picture and the minutiae of the two index fingerprints. Figures 13 and
14 show the front and back of the laser visa. As of May 2002, State had
issued more than 5 million cards. However, INS has not yet deployed
fingerprint readers or card readers, so inspectors examine cards at the
points of entry as they would a travel document.
Figure 13: The Front of a Laser Visa:
Source: INS.
[See PDF for image]
[End of figure]
Figure 14: The Back of a Laser Visa:
Source: LaserCard Systems Corporation, Mountain View, California.
[See PDF for image]
[End of figure]
The government of Israel is implementing a biometrics system that uses
hand and facial scans to facilitate passage through border checkpoints
between the Gaza Strip and other areas of Israel. The system will
verify the identity of 60,000 Palestinian workers who cross the border
at 42 automated checkpoints daily. The workers’ biometrics will be
compared with templates stored on a central server and backed up on
smart cards that the workers can present.
An iris recognition system in Singapore processes motorbike passengers
crossing the border from Malaysia each day to work. Approximately
50,000 travelers cross this border each day.
Hong Kong plans to introduce a fingerprint scanning system in 2003 at
the Shenzhen border in China to accelerate immigration for the 250,000
people who cross the border every day. Travelers will be able to swipe
a smart card bearing personal data along with a photograph and the
template of a thumbprint through an optical reader while presenting the
thumb to a scanner.
Obtaining and Verifying Travel Documents:
The Department of State has been running pilots of facial recognition
technology at 23 overseas consular posts for several years. As a visa
applicant’s information is entered into the local system at the posts
and replicated in State’s CCD, the applicant’s photograph is compared
with the photographs of previous applicants stored in CCD to prevent
fraudulent attempts to obtain visas. Some photographs are also being
compared to a watch list.
Australia’s Sydney Airport is assessing facial recognition technologies
in one-to-one comparisons of individuals’ facial features with their
passport pictures to identify people traveling with false passports.
Saudi Arabia installed iris scanning and fingerprinting devices in the
King Abdul Aziz Airport in the Red Sea port city of Jeddah during this
year’s annual Hajj pilgrimage to Mecca to verify that individuals
entered and exited the country under the same travel documents.
Surveillance:
Sydney Airport in Australia is using facial recognition technology to
identify wanted faces within the airport’s crowds. Iceland’s main
international airport at Keflavik scans passengers with facial
recognition technology as they pass through boarding gates, comparing
their facial characteristics with a watch list of suspected terrorists
and criminals.
[End of section]
Chapter 4 Scenarios for Border Control with Biometrics:
In the previous chapter, we described how biometric technologies work,
their performance, and some of their applications. In this chapter, we
outline how fingerprint, facial, and iris recognition technologies
could help improve the procedures now used to secure U.S. borders. We
identify four possible scenarios:
* Making a watch list check before issuing travel documents.
* Making a watch list check before travelers enter the United States.
* Issuing U.S. visas with one or more of these biometrics.
* Issuing U.S. passports with one or more of these biometrics.
These scenarios do not represent all the ways to use biometrics for
border control, but they do reflect some elements of pilots that have
implemented biometric technologies for border control, as well as
options discussed in legislation and by agencies responsible for border
security. While hand geometry cannot be used for conducting a watch
list check, it can be used in conjunction with one of the other
technologies to verify identities using visas or passports.
The first two scenarios could help identify individuals who are
ineligible to receive a U.S. visa or passport or who cannot be admitted
to the United States. Both of these scenarios use an identification
match to compare the traveler’s biometric against a database of stored
biometrics. The two other scenarios could help link an individual’s
identity to U.S. travel documents and could help reduce document
counterfeiting and impostors’ fraudulent use of legitimate documents.
The four scenarios are not mutually exclusive; they could be
implemented individually or in combination. In the next chapter, we
analyze costs, benefits, and implications associated with implementing
the scenarios.
Watch List Check before Issuing Travel Documents:
Making a watch list check before issuing travel documents could
identify individuals ineligible to receive a U.S. visa or passport when
their biometric was compared during the application process against a
database of the biometrics of individuals on a watch list. This
scenario would have the least effect on current operations and would
require the least development of new systems. As depicted in figure 15
for visas and figure 16 for passports, the watch list check would
essentially be an additional computer check conducted much as the name
check that is conducted through CLASS today.
Figure 15: Issuing U.S. Visas by a Watch List Check Process:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Figure 16: Issuing U.S. Passports by a Watch List Check Process:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Policies for the contents of the watch list would have to be developed,
including criteria for names to place on the watch list--whether those
of terrorists, criminals, violators of immigration law, or others. The
biometric technology would most likely be based on facial recognition
from photographs that applicants for documents submit. Often, a
photograph is the only biometric available for certain people who are
not admissible to the United States. Criteria for the quality of the
stored biometric for those on the watch list would probably have to be
developed in order to enhance the performance of the matching process.
Implementing this scenario would probably require two additional
computer system units to house the watch list and to match applicants’
photographs and the photographs on the watch list. Figure 17 depicts
one possible construct for this scenario’s architecture. Existing
systems, such as CCD and Passport Files Miniaturization (PFM), could
require significant changes and corresponding time and resources to
accommodate this scenario.
Figure 17: System Architecture for a Biometric Watch List Check before
Issuing Travel Documents:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Depending on the watch list criteria, it might be possible to use
fingerprint or iris recognition to perform the match. Using
fingerprints or the iris as the watch list biometric would complicate
data collection. Instead of just submitting a photograph, applicants
would have to submit fingerprint or iris biometrics. This information
would then have to be stored centrally and read by readers installed at
embassies, consulates, and passport acceptance offices.
Watch List Check before Entering the United States:
Individuals who are not eligible to enter the United States could be
identified before they could enter if, during inspection, their
biometrics are checked against a database of the biometrics of people
on a watch list. As depicted in figure 18, this watch list check--which
would be similar to the IBIS check at ports of entry--would be an
additional computer check conducted during inspection.
Figure 18: Entering the United States by a Watch List Check Process:
Source: GAO analysis.
[See PDF for image]
[End of figure]
As with the watch list scenario for issuing travel documents, policies
would have to be developed for a watch list for entering the country,
including the list’s contents and the quality of the stored biometric.
Facial recognition based on images collected as travelers presented
themselves before INS inspectors would be the likely biometric
technology. Often, a photograph is the only biometric available for
certain people not admissible to the United States.
As with the scenario we described above, a database to store the watch
list would have to be developed. The primary difference in cost between
these two scenarios would be the cost of biometric readers for the
ports of entry and the corresponding infrastructure and personnel to
use the readers. The readers would require access to the database of
the biometrics of the individuals on the watch list. Figure 19 depicts
one possible construct for this scenario’s architecture. Existing
systems, such as IBIS and the Treasury Enforcement Communications
System (TECS), could require significant changes and corresponding time
and resources to accommodate this scenario.
Figure 19: System Architecture for a Biometric Watch List Check before
Entering the Country:
Source: GAO analysis.
[See PDF for image]
[End of figure]
U.S. Visas with Biometrics:
In a scenario in which U.S. visas contained biometrics, two of the
border control processes would be affected. First, applicants for U.S.
visas would submit a biometric with their applications at American
embassies and consulates. During the application process, the
applicant’s biometric data would be stored and an identification match
would be conducted to compare the biometric information stored from
other issued visas, as well as rejected visa applications, to check for
duplicate and fraudulent applications. Second, at the ports of entry,
the traveler’s biometric would be verified as a part of the inspection
process. The verification match compares the biometric data collected
during the visa application process with the data collected during the
inspection process.
Figure 20 shows how collecting the biometric would change current visa
issuing procedures and the additional computer check necessary to
determine whether the new biometric had been previously enrolled.
Figure 21 shows how port of entry inspection would change--essentially
by adding a computer check to confirm travelers’ identities.
Figure 20: Issuing U.S. Visas with Biometrics:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Figure 21: Port of Entry Visa Inspection with Biometrics:
Source: GAO analysis.
[See PDF for image]
[End of figure]
This scenario would require buying biometric readers for the embassies,
consulates, and ports of entry. A database would be required for
storing biometric information. This database could be integrated with
CCD, which stores visa application and issuance information. To
properly link a biometric with an individual, live capture of the
biometric would be required, eliminating some, if not all, of the
benefit of mail-in and drop-box visa applications. Figure 22 shows one
possible construct for this scenario’s architecture. Fingerprint,
facial, or iris recognition could be used for this scenario. Hand
geometry can be used only in combination with another technology
because it is not effective in identification matches. Existing
systems, such as IBIS, TECS, and CCD, could require significant changes
and corresponding time and resources.
Figure 22: System Architecture for Issuing Visas with Biometrics:
Source: GAO analysis.
U.S. Passports with Biometrics:
[See PDF for image]
[End of figure]
Two border control processes would be affected also in a scenario that
issued U.S. passports containing biometrics. First, passport applicants
would submit a biometric with their applications. The applicant’s
biometric data would be stored and an identification match would be
conducted to compare the biometric information stored from other issued
passports, as well as rejected passport applications, to check for
duplicate and fraudulent applications. Second, the traveler’s biometric
would be verified during inspection at ports of entry. The verification
match compares the biometric data from the passport application with
the data collected during inspection. Figure 23 shows the biometric
collection and the computer check to determine whether travelers’
biometrics had been previously enrolled. Figure 24 shows the port of
entry inspection, essentially adding a computer check to confirm
travelers’ identities.
Figure 23: Issuing U.S. Passports with Biometrics:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Figure 24: Port of Entry Passport Inspection with Biometrics:
Source: GAO analysis.
[See PDF for image]
[End of figure]
This scenario would require purchasing biometric readers for passport
acceptance offices and ports of entry. It would require the database
for storing biometric information. The database could be integrated
with the State Department’s Passport Records Imaging System Management
(PRISM) and PFM, which store passport application and issuance
information. To properly link biometrics with individuals, live capture
of biometrics would be required, and this might eliminate some of the
benefits of mail-in renewal applications. Figure 25 shows one possible
construct for this scenario’s architecture. Fingerprint, facial, or
iris recognition could be used for this scenario. Hand geometry can be
used only in combination with one of the other technologies because it
is not effective in performing identification matches. Existing
systems, such as IBIS, TECS, and PFM, could require significant changes
and corresponding time and resources to accommodate this scenario.
Figure 25: System Architecture for Issuing Passports with Biometrics:
Source: GAO analysis.
[See PDF for image]
[End of figure]
Implementing Multiple Scenarios:
Two or more of these scenarios could be implemented in combination.
Implementing scenarios in combination would not necessarily mean that
costs would be additive. For example, the same biometric readers could
be used to read biometrics from visa holders and passport holders at
U.S. ports of entry. Similarly, the same watch list database could be
used for checking before issuing travel documents and for checking
before allowing entry into the United States.
It would also be possible to implement multiple biometric technologies.
For example, it might be desirable for performance reasons to have both
facial and fingerprint biometrics captured on visas so that either or
both could be verified when people seek entry to the United States. It
might be possible to integrate the match algorithms so that they take
in results from both biometric readers and use them in combination to
determine matches. The incremental costs associated with the additional
biometric readers would have to be considered, as well as the costs of
any additional labor and space required in order to capture the
biometrics and any additional server capacity to store the additional
biometrics. We discuss costs in the next chapter.
[End of section]
Chapter 5: Applying Biometrics to Border Control: Challenges and
Implications:
While biometric technology is currently available and used in a variety
of applications, questions remain regarding the technical and
operational effectiveness of biometric technologies in applications as
large as border control. In addition, before implementing any biometric
border security system, a number of other issues would have to be
considered, including:
* The system’s effect on existing border control procedures and people.
Technology is only part of an overall security solution and only as
effective as the procedures within which it operates.
* The costs and benefits of the system, including secondary costs
resulting from changes in processes or personnel to accommodate the
biometrics.
* The system’s effect on privacy, convenience, and the economy.
In this chapter, we present our analysis of the costs and benefits of
the four scenarios as they could be applied to current border control
procedures.
The Performance of Biometric Technologies:
Ideally, a biometric should be universally present, unique to the
individual, and stable over time. The cost and ease of using a
biometric technology also weigh into its selection. Of the four
biometrics we examine in depth for border control, only a person’s face
is universally present, while other biometrics are not--people can lose
or damage fingers, hands, and eyes. Estimates are that 1 to 3 percent
of the population might be physically unable to use these biometrics.
Hand geometry and fingerprint, facial, and iris recognition have not
been formally proven unique. Therefore, a biometric’s uniqueness within
a large population can be established only by its historical use. Table
9 shows the sizes of some of the larger biometric systems.
Table 9: The Enrollment Size of Seven Operational Biometric Systems:
Biometric database: Mexican Federal Electoral Institute; Technology:
Facial recognition; Enrollment: 60,000,000.
Biometric database: Integrated Automated Fingerprint Identification
system; Technology: Fingerprint; Enrollment: 40,000,000.
Biometric database: INS Automated Biometric Fingerprint Identification
System; Technology: Fingerprint; Enrollment: 4,500,000.
Biometric database: Ben Gurion International Airport; Technology: Hand
geometry; Enrollment: 100,000.
Biometric database: INS Passenger Accelerated Service System;
Technology: Hand geometry; Enrollment: 35,000.
Biometric database: King Abdul Aziz Airport, Saudi Arabia; Technology:
Iris recognition; Enrollment: 30,000.
Biometric database: Schiphol Airport, Amsterdam; Technology: Iris
recognition; Enrollment: 2,000.
Source: GAO analysis.
:
[End of table]
As table 10 shows, the sizes of the biometric systems specified in the
four scenarios are large. The system required to issue visas with
biometrics far exceeds in size the largest biometric database created
so far. While fingerprint and facial recognition have been used in
large systems, the size of each scenario far exceeds the largest iris
recognition system of 30,000. As we have previously described, hand
geometry is not highly distinctive and therefore cannot be used for
border control where identification of one individual among many will
be required. To be used for verification, hand geometry will need to be
used in combination with one of the other technologies that can perform
the initial identification match.
Table 10: Estimated Number of Biometric Matching Transactions in Four
Border Control Scenarios:
Scenario: 1. Making a watch list check before issuing travel documents;
System size: Depends on criteria used to develop the watch list: CLASS
has about 10 million records for foreigners and U.S. citizens; Matching
transactions per year: 17 to 31 million applications; * 10 million
visas;
* 7 million passports; * possibly 14 million visas from visa waiver
countries.
Scenario: 2. Making a watch list check before travelers enter the
United States; System size: Depends on criteria used to develop the
watch list: CLASS has about 10 million records; Matching transactions
per year: 500 million primary inspections.
Scenario: 3. Issuing U.S. visas with biometrics; System size: 100
million to 240 million visa records over 10 years; Matching
transactions per year: 48 to 63 million.
Scenario: 4. Issuing U.S. passports with biometrics; System size: 70
million passport records over 10 years; Matching transactions
per year: Up to 175 million[A].
[A] About 175 million U.S. citizens were inspected at ports of entry in
fiscal year 2001. Because a passport is not required in returning from
countries such as Canada and Mexico, it is not clear how many of these
citizens had passports.
Source: GAO analysis.
:
[End of table]
In testing and operation, some fingerprint and iris recognition
technologies have proven fairly accurate. Fingerprint recognition has
achieved a low FMR but a variable FNMR. According to the FBI, the FMR
for IAFIS is about 1.5 x 10-12 with an FNMR of between 1.5 and 2.0
percent. In testing NPL conducted, at an FMR of about 2 percent, the
FNMR was about 4.3 percent. In pilots FAA sponsored, FNMR ranged from 6
percent to 36 percent and the FMR was between 0 percent and 8 percent.
Iris recognition has also shown it can achieve a low FMR but with a
variable FNMR. In NPL’s testing, the FMR was 0 percent with an FNMR of
1.9 percent. The U.S. Army Research Laboratory found an FMR below 1
percent with an FNMR of 6 percent. Sandia National Laboratories’ test
showed 0 percent FMR and 10.2 percent FNMR.
Facial recognition has had more mixed results. In verification testing
NPL conducted, at an FMR of about 1 percent, the FNMR was about 3.3
percent. In a pilot FAA sponsored, an FMR of 0.19 percent was achieved
with an FNMR between 3 percent and 26 percent. In preliminary testing
NIST conducted this year, facial recognition achieved an FMR of 1
percent and an FNMR of 25 percent. For identification testing, facial
recognition fared worse. A State Department pilot encountered an FMR of
15 percent. Tests conducted at U.S. airports have found FMRs between 1
and 5 percent and FNMRs between 5 and 15 percent. At one airport where
the objective was to achieve an FMR as close to 0 as possible, an FMR
of 0.3 percent was achieved but with an FNMR of 45 percent. The U.S.
Army Research Laboratory found an FMR of 49 percent.
The final primary factor to consider when evaluating biometrics is
stability over time, but little work has been done to establish this.
Fingerprints are believed to be persistent from birth throughout life.
It is believed that irises are stable from before birth until death.
FRVT 2000 tested facial recognition with images collected a year before
identification or verification. The FMR for verification was 44 to 59
percent, while for identification it was 52 to 69 percent.
Fingerprint recognition appears to be the most mature of these
biometric technologies. Fingerprint recognition has been used the
longest and has been used with databases containing up to 40 million
entries. Iris recognition is young and has not been used with
populations approaching the size entailed in border control. While
facial recognition has also been used with large databases, its
accuracy results in testing have lagged behind those of iris and
fingerprint recognition. IBG believes that further research, costing
between $50 million and $100 million, would be required to determine
whether iris or facial recognition could perform at the same level as
fingerprint recognition.
How Introducing the Technology Affects People and Procedures:
The success of any border security technology depends on the border
control procedures as well as the people engaged in those procedures.
Technology is not a solution in isolation. Technology and people must
work together to execute the border control process--from issuing
travel documents to inspecting them at official ports of entry.
Introducing biometrics would affect people and processes differently,
depending on the specific scenario. Further, the performance of the
biometric technology can also affect the overall process. To check a
watch list before issuing travel documents, the following would need to
be considered:
* Installation of readers at consulates and embassies for visa
operations and at passport acceptance offices for passport operations
would require hiring additional staff and, in some cases, leasing
additional space.
* While the watch list identification check is essentially just an
additional computer check, high FMRs could increase the work of
consular officers and passport examiners and could delay the
disposition of applications if significant time were required to
reconcile false hits.
* Consular staff, passport acceptance agents, and passport examiners
would have to be trained.
* Mail-in and drop box applications could be expected to fall off
considerably, if not completely.
Similar concerns would need to be addressed to check a biometric watch
list before travelers enter the country.
* Installing readers at ports of entry would require hiring additional
staff and, in some cases, leasing additional space.
* Because the watch list identification check is essentially just an
additional computer check, similar to an IBIS check, hits would
probably result in secondary inspection of the traveler. High FMRs
could increase the work of inspectors and delay the passage of
travelers if significant time were required to reconcile false hits.
* Inspectors would have to be trained to collect the biometric from
travelers and to resolve watch list hits in secondary inspection. An
outreach campaign would likely be necessary to educate travelers about
the new biometric program.
One key impact, the increased time required to conduct an inspection
with a biometric watch list, would result from three key factors.
First, to check all identities through IBIS using a biometric watch
list would be a more substantive security check that would lengthen
primary inspection. As we have previously described, not all travelers
are now subjected to an IBIS name check. Second, while some have
suggested that biometrics could speed inspection, FAA tests suggest
biometrics would slow it down. FAA tests with biometric technology in a
physical access environment showed that transit time increased by 6 to
9 seconds when biometrics were added to a magnetic card entry system.
Third, an FMR that is too high could lead to excessive referrals of
travelers to secondary inspection and could increase workload to
resolve the false matches. For example, using facial recognition with a
watch list of 10 million people and just a 1 percent FMR would result
in an average of 100,000 false matches per traveler. Clearly, if the
watch list will be large, the FMR will need to be extremely low to
maintain workload at a manageable level.
For both watch list scenarios, policies and procedures would have to be
developed for adding and maintaining records in the watch list
database. Key questions that have to be answered for a watch list
database include who is added to the watch list, how someone is removed
from the watch list, and how errors can be corrected. One of the
biggest issues would be the selection of a biometric to identify
individuals on the watch list. Today’s watch lists are primarily name-
based and frequently list only the individual’s name, approximate age,
suspected nationality, or other identifying data. The selection could
be affected by who will be placed into the watch list because biometric
information for some people is not available. Facial recognition could
be the likely biometric technology for a watch list because often only
photographs are available for certain people inadmissible to the United
States. However, fingerprint recognition or iris recognition could also
be used if the United States could collect records on those
individuals.
To issue and verify visas with biometrics, changes would be required at
embassies and consulates to issue the visas and at ports of entry to
verify the identities of those traveling with visas. Specifically, the
following would need to be considered:
* Installing readers at consulates and embassies for visa operations
would require hiring additional staff and, in some cases, leasing
additional space.
* While the biometric identification check for duplicate or rejected
applications is essentially just an additional computer check, high
FMRs could increase the work of consular officers and delay the
disposition of visa applications if significant time were required to
reconcile false hits.
* Consular staff would have to be trained.
* Mail-in and drop box applications could be expected to fall off
considerably, if not completely.
Similarly, to issue and verify passports with biometrics, passport
acceptance office operations could be dramatically modified. Because
the vast majority of these offices are not State Department offices and
do not have State Department personnel or equipment, policy decisions
would have to be made regarding the installation of computers and
biometric equipment at these offices. Specifically, the following would
need to be considered:
* Installing readers at passport acceptance offices would require
hiring additional staff and, in some cases, leasing additional space.
* Because there is not a State Department presence at passport
acceptance offices, a mechanism would need to be developed to transmit
the collected biometrics on removable media or through a network
connection to the department.
* While the biometric identification check for duplicate or rejected
applications is essentially just an additional computer check, high
FMRs could increase the work of passport examiners and could delay the
disposition of passport applications if significant time were required
to reconcile false hits.
* Passport acceptance agents and passport examiners would have to be
trained.
* Mail-in applications could be expected to fall off considerably, if
not completely.
As we previously described for the use of a biometric watch list at the
ports of entry, the use of biometrics with visas or passports would
likely lengthen the inspection time. Although the matching operation
conducted with visas or passports with biometrics would be a
verification match instead of an identification match, the inspection
time could still go up for the same reasons. Checking that the bearer
of a travel document is the proper bearer of the document is a more
stringent check than is conducted today. Further, the performance of
the biometric technology affects the number of secondary inspections
conducted if travelers are not properly matched to their biometric.
Other issues that would need to be considered include:
* Installing readers at ports of entry would require hiring additional
staff and, in some cases, leasing additional space.
* Because the biometric verification check is essentially just an
additional computer check, similar to an IBIS check, hits would
probably result in secondary inspection of the traveler. An FMR that is
too high could lead to inadmissible people being allowed to enter the
country. An FNMR that is too high could lead to an increase in the
number of travelers referred to secondary inspection, adding to
requirements for space and personnel.
* Inspectors would have to be trained to collect the biometric from
travelers and to resolve watch list hits in secondary inspection. An
outreach campaign would likely be necessary to educate travelers about
the new biometric program.
The biometrics for visas and passports could be stored and verified
with or without tokens. Biometric data could be stored on tokens
travelers carried, to be compared with data from biometric readers at
ports of entry. A token could be a traveler’s visa or passport with the
biometric data stored on it as a bar code, or it could be a separate
memory storage card, such as a smart card or laser card.
In an approach without tokens, a traveler’s biometric data would be
stored in a central database to be queried during matching. The data in
the central database could be indexed by the visa or passport number or
simply by the traveler’s name combined with other identifying
information such as date of birth, Social Security number, or driver’s
license number.
Regardless of the comparison method for verification, the enrollment
process would be the same, whether at a consulate, embassy, or passport
acceptance office. It is critical that the biometric, once collected,
be securely linked to the visa or passport application and stored in a
central database for comparison to other records, ensuring that
duplicate identities are not being created. The operational concepts
are:
* Check against token containing biometric data. The traveler enters a
primary inspection area and presents to the inspector a token
containing his or her biometric data. The token is read and the
biometric data are decrypted and validated. The traveler’s stored
biometric data and the biometric data obtained from the biometric
reader are compared. If the data match, and if the inspector has no
other reason to deny admission, then the traveler is admitted to the
United States.
* Check against central database for biometric data. The traveler
enters a primary inspection area and presents to the inspector a travel
document or some other identifying information. Lacking a visa or
passport, the traveler must provide information detailed such that a
single record can be pulled from the central database. The remaining
steps are the same as in checking a biometric token.
Process flow issues must be considered. A central database of
biometrics would be required to prevent people from getting multiple
passports or visas under different identities and for verifying the
identity of a traveler whose token has been lost or stolen or becomes
unusable. In this case, it is important that the traveler be able to
provide enough information so that the inspector can check for and find
the appropriate records. It is also possible that an identification
match, instead of a verification match, could be run on an individual.
If a token is used, how it is produced must be considered. If it is to
be a modification of the current passport or visa--for example, if the
biometric is a two-dimensional bar code stored on the travel document-
-redesigning the passport or visa foil would be required. If the token
is to be a separate card, such as a smart card or a laser card, the
capital investment in a production facility would have to be
considered.
Using tokens for the biometric storage could affect the inspection
process. No studies have yet determined whether tokens expedite
inspection. Studies should be conducted to determine what effect local
data comparisons would have, compared with central database lookups.
For the three scenarios with biometric scanners at ports of entry, the
physical configuration at the ports of entry could pose a challenge for
collecting travelers’ biometrics and performing matches. Where there
are terminals, such as at airports, some seaports, and pedestrian ports
of entry, it would be relatively simple to install biometric readers
and to read travelers’ biometrics. An inspector checks travelers’
identities and names at booths equipped with IBIS. At most sea ports of
entry, where IBIS is not used, inspectors board the vessels to conduct
inspections of aliens, while U.S. citizens are inspected as they
disembark. Biometric readers could not be installed in such
circumstances, making collecting biometrics from travelers
challenging. Similarly, at land ports of entry, a way to collect
biometrics expeditiously from all occupants of a vehicle would have to
be developed.
For all four scenarios, exception processing would have to be carefully
planned. When an applicant fails to enroll in a biometric system or
when a system fails to correctly identify a person, that person must be
treated as an exception. Exception processing that is not as good as
biometric-based primary processing could be exploited as a security
hole. Exceptions include passport and visa applicants whose biometrics
cannot be properly enrolled in the system because they may not have the
physiological characteristic that the system recognizes. One solution
might be to use two or more biometric technologies in the same system,
reducing the number of people who could fail to be enrolled.
The failure of biometric scanners, failure to access the central
biometric database, failure to access the watch list, and
communications failure are other exceptions. Because it is unlikely
that inspections would cease, appropriate contingency plans would have
to be developed to ensure continuity of operations without sacrificing
security. Further, an appropriate transition strategy will be required
to handle simultaneously biometric travel documents and the current
travel documents that will remain valid without biometrics for the next
10 years.
Biometrics and Information Security:
Just as operational processes must be considered, infrastructure
processes must also be examined, particularly with respect to
information security. Binding an identity to the biometric features of
a person is only an entry in a database. Lax information security can
weaken or break that bond. Laws enacted over the past 15 years require
each federal agency to provide security protections for information
collected and maintained by or for the agency commensurate with the
risk and magnitude of harm that would result from unauthorized
disclosure, disruption, modification, or destruction of the
information.[Footnote 23]
Despite these statutory requirements, we have previously reported that
poor information security is a widespread federal problem with
potentially devastating consequences.[Footnote 24] Although agencies
have taken steps to redesign and strengthen their information system
security programs, our analyses of information security at major
federal agencies have shown that federal systems were not being
adequately protected from computer-based threats, even though these
systems process, store, and transmit enormous amounts of sensitive data
and are indispensable to many federal agency operations. These
weaknesses continue, as indicated by our analyses of 24 large federal
agencies that considered the results of inspector general reports and
our reports published between July 2000 and September 2001.[Footnote
25]
The security challenges directly affect the ability to implement
existing laws and policies for protecting personal, proprietary, law
enforcement, and national security information. Such safeguards require
the appropriate tools to maintain confidentiality and ensure only
authorized access, sharing, and use. Without appropriate security
tools, the protection of this information will be at risk.
The information security challenges involved with a biometric system
deal with the protection of biometric data--whether they are a
biometric watch list or biometric reference templates stored in a
central database or on a token--and the transmission of those data.
Table 11 gives examples of operational issues, risks, and techniques
related to binding individuals to their biometric information when
issuing them visas or passports with biometrics. The binding process
between a user and biometric information is critical to the success of
a biometric-based user-authentication system. A process that does not
have strong binding mechanisms will provide little improvement over
existing processes.
Table 11: Security Risks and Mitigating Techniques:
Event: Unauthorized changes are made to data in the central database--
e.g., the biometric data associated with S. Smith is changed so she can
claim an identity such as A. Smith; Adverse effect: The binding of a
person to her biometric data is lost--in effect, she can assume
multiple identities; Mitigating technique: Electronic signatures can
ensure data integrity; system can periodically check to ensure that the
data and associated signature still agree. Original data can be
restored from a secure backup when a modification is detected.[A].
Event: Unauthorized changes are made to a token’s data--e.g., biometric
data originally stored with a given identity are replaced with
biometric data associated with an impostor; Adverse effect: The
binding of a person to his or her biometric data is lost--in effect, he
or she can claim the identity of another person or assume multiple
identities, using the same token; Mitigating technique: Electronic
signatures generated by a central database at enrollment can ensure a
token’s data integrity. The data can be changed but changes would be
detected, since the system would not validate the electronic signature
generated during enrollment with the original data.
Event: A rogue government official generates a false identity for a
person with the correct biometrics but altered name or birth date to
bypass the system’s checks for detecting suspicious individuals;
Adverse effect: The binding of the person to her biometrics is not
compromised, but the system cannot ensure that travel documents are
issued only to an authorized person; Mitigating technique: Split
knowledge and dual control techniques can ensure that at least two
persons validate the identity data provided to the system. Also, once
identified, the electronic signature of the official who authorized the
token can easily be revoked.
Event: Biometric data on a token or in a database are compromised by
unauthorized disclosure; Adverse effect: Since the public may believe
that biometric data are as confidential as a Social Security number,
their unauthorized disclosure may lead to identity theft and a public
relations problem; Mitigating technique: A token’s biometric data can
be encrypted to ensure that its loss or theft does not compromise the
data. Although encrypting the database might make searching for
duplicate values unrealistic, other controls can reasonably limit
access to biometric images to authorized persons and processes.
[A] Electronic signatures are commonly used to provide assurances that
unauthorized changes are not made to data. They may also represent an
individual or an entity. A system-generated electronic signature should
be (1) unique to the signer, (2) under the signer’s sole control, (3)
verifiable, and (4) linked to the data in a way such that if the data
are changed, the signature is invalidated on verification. See U.S.
General Accounting Office, Information Security: Advances and Remaining
Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-
277 (Washington, D.C.: February 26, 2001).
Source: GAO analysis.
[End of table]
Weighing Costs and Benefits:
Before any significant project investment is made, the benefit and cost
information should be analyzed and assessed in detail. A business case
should be developed that identifies the organizational needs for the
project. A clear statement of high-level system goals should drive the
overall concept of a U.S. border control system. Every aspect of the
overall system--from the selection of biometrics to the system
architecture--depends on the overall system goals. The high-level goals
should address the system’s expected outcomes--for example,
* binding a biometric feature to an identity (information such as name,
date of birth, place of birth) shown on a travel document,
* identifying undesirable individuals on a watch list,
* checking for duplicate enrollments,
* verifying identities at the borders,
* ensuring the adequacy of privacy protections, and:
* ensuring the security of the biometric information.
Certain performance parameters should also be carefully specified,
including, among others, the:
* time required to enroll people,
* time required to verify each person’s identity by comparing the
biometrics against a stored template,;
* acceptable overall FMR and FNMR, and:
* maximum population the system must handle.
Similarly, not only must the costs of the technology be considered but
also the costs of the effects on people and processes. A biometric-
based border control system is bound to require significant up-front
investments and a certain level of recurring costs to keep it
operating. Weighed against these costs are the security benefits that
accrue from using the system. Analyzing this cost-benefit trade-off is
crucial when choosing specific biometrics-based border control
solutions. The consequences of performance issues--for example,
accuracy problems, their effect on processes and people, and their
costs--are also important in selecting a biometric technology.
The desired benefit of all the scenarios we describe is to prevent the
entry of travelers who are inadmissible into the United States. More
specifically, in both watch list scenarios, a biometric check could
improve security by adding a watch list check to the name-based watch
list checks already being performed. A biometric watch list could help
detect travelers who are trying to evade detection and who have
successfully established a separate name and identity. Biometrics that
are unique to these individuals should identify them in biometric
checks against the entries in the watch list. A biometric watch list
could help detect certain travelers, even when a name or other
biographical information about an individual on a watch list is
unknown.
The quantitative benefit of the watch list scenarios (i.e., the number
of travelers prevented from obtaining U.S. travel documents or denied
access to the United States) would depend on the performance of the
biometric technology, the quality of the biometrics in the watch list,
and the data in the watch list. As we have described, the performance
of the biometric technology will determine the additional number of
people apprehended as well as the additional number of people
identified incorrectly. The performance of the biometric technology is
also dependent on the size of the biometric watch list. As more people
are added to the watch list, the probability of a false match for any
given traveler increases. While apprehending more people increases
security, further questioning people identified incorrectly increases
the operational costs of implementing the technology. The better the
quality of the biometric in the watch list, the more likely it is that
the technology will correctly match a traveler to it. Finally, if
effective policies and procedures are not implemented to populate the
watch list, the system’s effectiveness will not be as great as it could
be.
For issuing passports and visas with biometrics, the key benefit is to
positively identify travelers as they enter the United States and to
cut down on the use of fraudulent travel documents, including
counterfeit and modified documents and impostors’ use of legitimate
documents. Travel documents would continue to serve as evidence that
the bearer has the right of entry. The addition of biometrics can link
the individual to the travel document and serve as evidence that the
present bearer of the document is indeed the proper bearer. At ports of
entry, INS inspectors intercepted more than 114,000 fraudulent
documents last year (see table 12). About one-third of the intercepted
documents were U.S. passports or visas.
Table 12: The Number and Type of Fraudulent Documents INS Inspectors
Intercepted, Fiscal Year 2001:
Document type: Border crossing cards; Number intercepted: 30,419.
Document type: Alien registration cards; Number intercepted: 26,259.
Document type: Nonimmigrant visas; Number intercepted: 21,127.
Document type: U.S. passport and citizenship documents; Number
intercepted: 18,925.
Document type: Foreign passport and citizenship documents; Number
intercepted: 15,994.
Document type: Reentry permit and refugee travel documents; Number
intercepted: 702.
Document type: Immigrant visas; Number intercepted: 597.
Document type: Total; Number intercepted: 114,023.
Source: INS.
[End of table]
The Census Bureau has estimated that between 7.7 million and 8.8
million unauthorized immigrants were in the United States in
2000.[Footnote 26] INS has estimated that the annual increase in the
number of unauthorized immigrants is about 275,000.[Footnote 27] Of
this number, INS estimates that about 60 percent of illegal immigration
occurred “between the borders” and not at a port of entry where people
or documents could be inspected. INS estimates that the remaining 40
percent of the undocumented population are nonimmigrant overstays,
meaning they entered legally on a temporary basis but failed to depart.
While it appears that current border control processes reduced the
annual number of unauthorized entrants by about one-third, it is not
known how many other travelers used fraudulent documents to enter the
United States. Today, inspectors check identity manually, comparing
photographs in a travel document with the face of the person carrying
the document.
Linking biometrics to visas and passports would help ensure that
travelers could not obtain travel documents under alternative
identities once they had already applied for initial documents and
established a biometric identity in the system. It would also help
ensure that travelers who crossed the borders were the persons depicted
on their travel documents. These two benefits could potentially
decrease document fraud by making it harder to obtain a visa or
passport under an assumed identity. The scenario could also reduce the
use of counterfeit visas and passports and the use of legitimate
documents by impostors.
Limitations to this approach are that a visa or passport biometric
cannot necessarily link a person to his or her true identity, although
it can bind him or her to a single identity within a system. A visa or
passport biometric system would make it more difficult for people to
establish multiple identities. Nevertheless, if the one identity a
person claimed were not his or her true identity, then the person would
be linked to the false identity in the biometric system.
Issuing visas with biometrics may have a limited effect because of the
relatively few travelers who must carry a visa to enter the United
States. While nonimmigrant aliens made 239 million border crossings
last year, many were not required to present a visa at the port of
entry, including Canadians, Mexicans who possessed a border crossing
card, and aliens entering through the visa waiver program. It is
estimated that in only about 22 million crossings were aliens required
to have a visa to enter the United States last year--about 15 million
entered as visitors or with task-specific visas (e.g., students), and
another 7 million entered as crew on airplanes or ships. Even though
the current Mexican border crossing cards are issued with two
fingerprint templates on the card, it is unclear how Mexicans would be
affected by a decision to issue visas with biometrics.
Issuing passports with biometrics might also have limited effect
because passports are not required of U.S. citizens when they enter the
United States from Canada or Mexico. While U.S. citizens made more than
179 million border crossings last year, it is not clear how many of
them needed or presented a passport to inspectors at the ports of
entry.
While it is standard practice to quantify benefits in monetary terms,
it is difficult to do so for security applications. The monetary
benefits of keeping inadmissible people out of the country depend on
the activities undertaken while these travelers are in the country.
Some inadmissible people may simply affect the labor supply, while
others may conduct criminal or terrorist activities. Further
information, including behavioral assumptions, would be necessary in
order to characterize the value of preventing the entry of inadmissible
persons.
As we have already stated, biometric technology is not a panacea for
all border security problems. For example, none of these scenarios
addresses two other key problems with border security. Previous INS
estimates of illegal immigration were that about 60 percent of all
illegal immigrants entered “between the borders,” not at a port of
entry where they could be inspected. The scenarios we describe also
will not help address problems with aliens’ overstaying their visits;
aliens who overstay have already presented themselves at a port of
entry and were admitted by an inspector.
System Life-Cycle Costs:
For each of the four scenarios, we created cost models to estimate the
cost of developing, implementing, and maintaining various biometric
processes. Besides including in the models the cost of purchasing the
biometric hardware, we estimated costs for additional hardware,
software, maintenance, personnel, training, and effects on other
procedures in order to derive life-cycle cost estimates. We used DODís
definition of life-cycle cost, which includes all costs the government
incurs in designing, developing, and operating a system through its
life cycle, from its initiation through disposal of the system at the
end of its useful life. We followed the cost element structure that DOD
uses at acquisition program milestone and decision reviews to assess
major automated information systems costs. Tailoring this structure to
reflect our four scenarios, we used it to standardize costs so that
they could be compared at a high level.
We present the costs in two parts. Initial costs represent the costs
required to plan, design, develop, and field the system. Recurring
costs represent the annual costs required to operate and continually
maintain the system to keep it in operation.
We estimated seven sets of initial cost elements: costs for systems
engineering and program management; development, installation, and
training; biometric hardware; biometric software; network
infrastructure; renovating consular facilities; and hardware
infrastructure upgrades. We estimated ten sets of recurring cost
elements: program management; biometric hardware maintenance; software
and system maintenance; network infrastructure maintenance; consular
operating personnel; port of entry operating personnel; communications;
training; consular facility maintenance; and annual supplies. (More
details on the cost elements can be found in appendix VI.):
Assumptions:
We prepared the life-cycle cost estimates using fiscal year 2002
constant dollarsóthat is, inflation was not considered for the multiple
years over which funds would be required for acquisitionóand they
represent rough order of magnitude costs. In addition, the estimates in
our technology assessment are best guesses and should not be considered
ìbudget quality.î They attempt to provide a high-level view of what
costs could potentially be, given the assumptions we describe here. In
order to develop budget-quality estimates, more details about the
system to be built are required, including an operational concept,
detailed requirements, site surveys, and vendor proposal data.
Following are the assumptions that frame the boundary of our cost
estimates.
Scenario life-cycle cost estimates represent development and
installation time plus 10 yearsí operational life. Phasing of costs
over time is simplified, and actual schedules to both develop and
install equipment and infrastructure will most likely differ.
Biometric technologiesófingerprint, facial, and iris
recognitionórepresent standardization to a single vendorís protocols.
Biometric technology costs represent the average costs of vendorsí
products. Four flat fingerprints will be collected for fingerprint
recognition.
There are 210 visa-issuing embassies and consulates worldwide. There
are 4,500 passport acceptance offices. There are 3,950 primary and
secondary inspection stations at 400 ports of entry.
Personnel costs reflect both direct costs and indirect costs. Three
personnel will be needed to troubleshoot equipment at each port of
entry, or 1,200 additional staff.
No costs were estimated for:
* additional inspectors at ports of entry,
* additional facility space for passport acceptance offices or at ports
of entry for primary and secondary inspections,
* biometric equipment for exiting the United States,and:
* biometric security technology (e.g., encryption of biometric data).
Costs for Scenarios 1 and
2: Watch List Checks:
We used the following assumptions to create the cost estimates for the
two biometric watch list scenarios:
* The watch list database will include 10 million records.
* Matches will be performed using facial recognition technology.
* To conduct watch list checks before issuing travel documents, facial
images will be generated by capturing the physical photographs
applicants present when they apply for a visa or passport.
* The images will be collected and scanned at consulates and embassies
for visas and at passport acceptance offices and transmitted through
telecommunications resources to a central facility in metropolitan
Washington, D.C.
Estimates include costs for a primary central processing facility and a
contingency processing site. Table 13 summarizes the costs for the two
watch list scenarios.
Table 13: Estimated Costs for Watch List Checks:
Scenario: 1. Watch list check before issuing travel documents; Initial:
$52.8; Recurring: $72.9.
Scenario: 2. Watch list check before entering the United States;
Initial: $330.2; Recurring: $237.0.
Note: Dollars are in millions.
Source: GAO analysis.
:
[End of table]
In scenario 1, the major cost is additional consular staff to review
biometric watch list hits. It is assumed that each embassy or consulate
will require at least one additional foreign service officer to review
biometric watch list hits before visas are issued. If the performance
of the biometric technology requires more reviews and consequently more
staff, the cost of the scenario will increase. Of the $52.8 million
initial cost, $33.1 million is for the placement of 221 additional
foreign service officers. Only $19.8 million is for the systemís
development, installation, and associated costs. Similarly, of the
$72.9 million recurring costs per year, $50.7 million is for additional
foreign service officers. Because it is unclear how many additional
passport examiners would be required to review biometric watch list
hits for passports, we have not included costs for additional passport
examiners.
In scenario 2, adding facial recognition technology at the 400 ports of
entry greatly increases costs over scenario 1. The additional costs
related to developing and installing equipment at 3,950 primary and
secondary inspection stations at the ports of entry adds another $200
million to the systemís initial cost. (More details on the estimated
costs for conducting watch list checks with biometrics can be found in
appendix VI.):
Costs for Scenarios 3 and 4: U.S. Visas and Passports with Biometrics:
We used the following assumptions to estimate the costs of adding
biometrics to visas and to passports:
* The number of visa applicants will remain constant at 10.3 million
annually. The number of travelers in the visa waiver program will
remain constant at 14 million annually.
* The number of passport applicants will remain constant at 7 million
annually.
* Enrolling travelers using a single biometric (whether for
fingerprint, facial, or iris recognition) is estimated at 6 minutes (10
applicants enrolled per hour).
* Enrolling travelers using multiple biometrics (e.g., fingerprint and
facial combined, fingerprint and iris combined, or fingerprint, facial,
and iris combined) is estimated at 10 minutes (6 applicants enrolled
per hour).
* All current visa-issuing embassies and consulates and passport
acceptance offices will be equipped to collect biometrics from visa and
passport applicants, respectively.
* Biometric token cards will be used to verify identities.
We present cost estimates for six different combinations of biometric
technologies under two different possibilities for issuing visas (see
table 14). The State Department receives about 10.3 million visa
applications each year. In fiscal year 2000, INS estimated that
approximately 14 million individuals traveled under the visa waiver
program. If these travelers must obtain a visa to travel to the United
States, we assume that this same number would also be required to have
their biometric sample collected. An additional 14 million applicants
increases the initial costs of the biometric system by about 30 percent
and annual recurring costs by about 50 percent. The costs differ
between the different combinations of biometrics because of the
different costs of the different types of equipment and the increased
time required to enroll people if more than one biometric is used.
Table 14: Estimated Costs for Issuing Visas with Biometrics:
Annual visa applications: Annual visa applications : 10.3 million
with visa waiver program: [Empty].
Annual visa applications: 10.3 million
with visa waiver program: Scenario 3: Issuing visas with biometrics:
Initial: Recurring: [Empty].
Scenario 3: Issuing visas with biometrics: Fingerprint recognition;
Initial: $1,422; Annual visa applications: 10.3 million
with visa waiver program: Recurring: $708; Annual visa applications:
10.3 million with visa waiver program: [Empty]; Annual visa
applications: 24.3 million: Initial: $1,879; Annual visa applications:
24.3 million: Recurring: $1,077.
Scenario 3: Issuing visas with biometrics: Iris recognition; Initial:
1,419; Annual visa applications: 10.3 million with visa waiver program:
Recurring: 707; Annual visa applications: 10.3 million with visa waiver
program: [Empty]; Annual visa applications: 24.3 million: Initial:
1,876; Annual visa applications: 24.3 million: Recurring: 1,075.
Scenario 3: Issuing visas with biometrics: Facial recognition; Initial:
1,399; Annual visa applications: 10.3 million
with visa waiver program: Recurring: 698; Annual visa applications:
10.3 million with visa waiver program: [Empty]; Annual visa
applications:
24.3 million: Initial: 1,851; Annual visa applications: 24.3 million:
Recurring: 1,065.
Scenario 3: Issuing visas with biometrics: Fingerprint and iris
recognition; Initial: 1,926; Annual visa applications: 10.3 million
with visa waiver program: Recurring: 863; Annual visa applications:
10.3 million with visa waiver program: [Empty]; Annual visa
applications: 24.3 million: Initial: 2,509; Annual visa applications:
24.3 million: Recurring: 1,331.
Scenario 3: Issuing visas with biometrics: Fingerprint and facial
recognition; Initial: 1,904; Annual visa applications: 10.3 million
with visa waiver program: Recurring: 854; Annual visa applications:
10.3 million with visa waiver program: [Empty]; Annual visa
applications:
24.3 million: Initial: 2,479; Annual visa applications: 24.3 million:
Recurring: 1,318.
Scenario 3: Issuing visas with biometrics: Fingerprint, iris, and
facial recognition; Initial: 2,243; Annual visa applications: 10.3
million with visa waiver program: Recurring: 970; Annual visa
applications: 10.3 million with visa waiver program: [Empty]; Annual
visa
applications: 24.3 million: Initial: 2,845; Annual visa applications:
24.3 million: Recurring: 1,482.
Note: Dollars are in millions.
Source: GAO analysis.
[End of table]
Operating personnel and space at the embassies and consulates are a
major component of the cost estimates. Table 15 shows the initial and
recurring costs for consular operating personnel and space when using
single biometric and multiple biometrics. Depending on the combination
of biometric technologies, we estimate the costs of consular operating
personnel and space at 21 to 31 percent of initial costs and 23 to 29
percent of recurring costs. We did not include costs at ports of entry
for facility renovation or personnel to verify the biometrics of
travelers with visas as they enter the country.
Table 15: Estimated Consular Costs for Issuing Visas with Biometrics:
Annual visa applicants:
Scenario 3: Issuing visas with biometrics; [Empty]; Annual visa
applicants: 10.3 million: [Empty].
Operating personnel; Single biometric; Annual visa applicants: 10.3
million: Initial: $75.9; Annual visa applicants: 10.3 million:
Recurring: $111.6; Annual visa applicants: 10.3 million: [Empty];
Annual visa applicants: Initial: $114.9; Annual visa applicants: 24.3
million: Recurring: $150.6.
Multiple biometrics; Annual visa applicants: 10.3 million: Initial:
95.0; Annual visa applicants: 10.3 million: Recurring: 130.7; Annual
visa applicants: 10.3 million: [Empty]; Annual visa applicants:
Initial: 160.0; Annual visa applicants: 24.3 million: Recurring:
195.7.
Space; Single biometric; Annual visa applicants: 10.3 million: Initial:
335.8; Annual visa applicants: 10.3 million: Recurring: 89.5; Annual
visa applicants: 10.3 million: [Empty]; Annual visa applicants:
Initial: 463.6; Annual visa applicants: 24.3 million: Recurring: 123.6.
Multiple biometrics; Annual visa applicants: 10.3 million: Initial:
378.2; Annual visa applicants: 10.3 million: Recurring: 100.9; Annual
visa applicants: 10.3 million: [Empty]; Annual visa applicants:
Initial: 563.7; Annual visa applicants: 24.3 million: Recurring:
150.5.
Note: Dollars are in millions.
Source: GAO analysis.
[End of table]
Another major recurring cost is storage media for the biometric. At a
cost of about $15 per card for laser cards, this adds more than $150
million to the recurring costs for 10.3 million visa applicants, or
more than $360 million for 24.3 million applicants.
Table 16 summarizes the costs of issuing passports with biometrics with
six different combinations of biometric technologies. Scenario 4 is by
far the most expensive. The primary cost difference between issuing
visas with biometrics and passports with biometrics is in the number of
issuing locations. While only 210 embassies and consulates can receive
visa applications, and even though fewer passport applications are
received annually than visa applications, there are more than 20 times
more passport acceptance offices (4,500) than embassies and consulates
that issue visas. This greater number of locations has a direct effect
on the estimates of initial and recurring costs for this scenario.
Table 16: Estimated Costs for Issuing Passports with Biometrics:
Scenario 4: Issuing passports with biometrics: Fingerprint recognition;
Initial: $4,491; Recurring: $1,574.
Scenario 4: Issuing passports with biometrics: Iris recognition;
Initial: 4,486; Recurring: 1,572.
Scenario 4: Issuing passports with biometrics: Facial recognition;
Initial: 4,446; Recurring: 1,555.
Scenario 4: Issuing passports with biometrics: Fingerprint and iris
recognition; Initial: 6,694; Recurring: 1,978.
Scenario 4: Issuing passports with biometrics: Fingerprint and facial
recognition; Initial: 6,655; Recurring: 1,961.
Scenario 4: Issuing passports with biometrics: Fingerprint, iris, and
facial recognition; Initial: 8,766; Recurring: 2,363.
Note: Dollars are in millions.
Source: GAO analysis.
[End of table]
As with the scenario in which visas are issued with biometrics, two
major costs are the costs of cards to store the biometrics and the
personnel required to collect the biometric sample from passport
applicants. The cost of cards adds more than $100 million per year to
the costs of the biometric system. While it is not clear how biometrics
would be collected at passport acceptance offices, we assumed that
collection at each office would require one additional staff person,
for an additional annual cost of $443.8 million. We did not include
costs for additional space at the offices.
In the scenarios where biometrics are added at the ports of entry
(i.e., performing a watch list check before entering the United States
and issuing visas and passports with biometrics), the cost of
additional inspectors is not included. As we have previously described,
the addition of biometrics at the ports of entry would likely increase
the inspection time of each traveler. Without the addition of
inspectors and the corresponding space (i.e., inspection stations or
lanes), delays would go up at the ports of entry. We did not analyze
how many additional inspectors would be required to maintain current
service times. These costs will have to be collected and analyzed as
part of the preparation for a budget-quality estimate should the
government wish to pursue one of these options. (More details on the
estimated costs of issuing visas and passports with biometrics can be
found in appendix VI.):
Uncertainty Analysis:
Simulation is an analytical method meant to imitate a real-life system,
especially when other analyses are too mathematically complex or too
difficult to reproduce. Risk analysis uses both a spreadsheet model and
simulation to analyze the effect of varying the inputs to a modeled
system on the outputs. One type of spreadsheet simulation is Monte
Carlo, which randomly generates values for uncertain variables over and
over to simulate a model. The simulation results show not only the
different result values but also the probability (or certainty) of
values.
We used both the initial and recurring costs as the forecast values and
ran the Monte Carlo simulation for each of the four scenarios. We
applied a probability distribution to each parameter that we thought
could vary, such as the costs for development and installation, annual
operating personnel, and additional square feet in embassy or consular
facilities. Table 17 shows our estimates, the level of certainty
calculated by the simulation for our estimates, and the cost for each
scenario at the 90 percent certainty level. For issuing visas and
passports with biometrics, we simulated only two of the six possible
combinationsóone using a single biometric and one using multiple
biometrics.
Table 17: Cost Estimate Uncertainty Analysis for Four Scenarios:
Scenario: 1. Watch list check before issuing document; Cost: $52.8;
Initial: % certainty: 50%; Cost at 90% certainty: $53.3; [Empty];
Recurring: Cost: $72.9; Recurring: % certainty: 50%; Recurring: Cost at
90% certainty: $74.2.
Scenario: 2. Watch list check and facial recognition; Cost: 330.2;
Initial: % certainty: 50; Cost at 90% certainty: 347.9; [Empty];
Recurring: Cost: 237.0; Recurring: % certainty: 91; Recurring: Cost at
90% certainty: 236.4.
Scenario: 3. Visa; Cost: [Empty]; Initial: % certainty: [Empty]; Cost
at 90% certainty: [Empty]; [Empty]; Recurring: Cost: [Empty];
Recurring: % certainty: [Empty]; Recurring: Cost at 90% certainty:
[Empty].
Scenario: Fingerprint recognition; Cost: 1,879; Initial: % certainty:
70; Cost at 90% certainty: 1,923; [Empty]; Recurring: Cost: 1,077;
Recurring: % certainty: 91; Recurring: Cost at 90% certainty: 1,059.
Scenario: Fingerprint and facial recognition; Cost: 2,479; Initial: %
certainty: 60; Cost at 90% certainty: 2,529; [Empty]; Recurring: Cost:
1,318; Recurring: % certainty: 89; Recurring: Cost at 90% certainty:
1,324.
Scenario: 4. Passport; Cost: [Empty]; Initial: % certainty: [Empty];
Cost at 90% certainty: [Empty]; [Empty]; Recurring: Cost: [Empty];
Recurring: % certainty: [Empty]; Recurring: Cost at 90% certainty:
[Empty].
Scenario: Facial recognition; Cost: 4,446; Initial: % certainty: 60;
Cost at 90% certainty: 4,725; [Empty]; Recurring: Cost: 1,555;
Recurring: % certainty: 92; Recurring: Cost at 90% certainty: 1,518.
Scenario: Fingerprint and iris recognition; Cost: 6,694; Initial: %
certainty: 70; Cost at 90% certainty: 6,892; [Empty]; Recurring: Cost:
1,978; Recurring: % certainty: 91; Recurring: Cost at 90% certainty:
1,953.
Note: Dollars are in millions.
Source: GAO analysis.
[End of table]
Developing, integrating, deploying, and maintaining biometrics to help
secure the nationís borders will be costly. For example, the cost to
implement visas with biometric technologies would be on a par with a
major DOD weapons systems acquisition or FAAís Standard Terminal
Automation Replacement System.
Effects on Privacy and the Economy:
Privacy and Civil Liberties:
Underlying much discussion about the deployment of biometric technology
are questions about the sufficiency of information management laws,
such as the Privacy Act of 1974 and the Computer Security Act of 1987,
to protect civil liberties.[Footnote 28] Periodic public surveys have
revealed a distinct unease with the potential ability of the federal
government to monitor individuals’ movement and transactions.
The Privacy Act limits federal agencies’ collection, use, and
disclosure of personal information. The act’s protections are keyed to
the retrieval of personal information by an “identifying number,
symbol, or other identifying particular assigned to the individual,
such as a finger or voice print, or a photograph.”[Footnote 29]
Accordingly, the Privacy Act generally covers federal agency use of
personal biometric information.
As a practical matter, however, the act is likely to have a more
limited application to biometric information in the context of border
control. First, it applies only to personal information regarding U.S.
citizens and lawfully admitted permanent resident aliens.[Footnote 30]
Second, the act includes a number of exemptions that permit the
disclosure of otherwise covered information for internal agency use,
for compatible “routine uses,” and for law enforcement and national
security purposes.[Footnote 31]
Representatives of civil liberties groups and privacy experts are
concerned about (1) the adequacy of protections for security, data
sharing, identity theft, and other identified uses and (2) secondary
uses and “function creep.” A significant number of concerns raised
during our interviews and conferences relate to the adequacy of
protections under current law for the large-scale data handling in a
biometric system. Besides information security, concern was voiced
about an absence of clear criteria for governing data sharing. The
broad exemptions of the Privacy Act, for example, provide no guidance
on the extent of the appropriate uses law enforcement may make of
biometric information.
Of equal concern is a tendency for large organizations to develop
secondary uses of information; information collected for one purpose
tends over time to be used for other purposes as well. The history of
the Social Security number, for example, gives ample evidence of how an
identifier developed for one specific use has become a mainstay of
identification for many other purposes, governmental and
nongovernmental.[Footnote 32] Secondary uses of the Social Security
number have been a matter not of technical controls but, rather,
changing policy and administrative priorities. Further, some are
concerned that biometric information can potentially be linked to
multiple databases or to a vast national database. Questions being
raised include what data would be included or linked to a biometric
identification card; who would have access to such information,
legitimately or otherwise; and how people who can access such data
could use them.
Still others mention major concerns under the three headings of
tracking, profiling, and loss of anonymity. Tracking is real-time, or
near-real-time, surveillance in which a person’s movements are followed
through her biometrics-enabled transactions. While none of the
scenarios we discuss use biometric technologies for surveillance, we
have heard concerns raised about ways in which anonymity is likely to
be undermined by surveillance. For example, many civil liberties groups
are extremely concerned about the application of facial recognition
technology for surveillance, which, like video surveillance, could
result in the loss of anonymity in public places.
Profiling is the reconstruction of a person’s movements or transactions
over a specific period of time, usually to ascertain something about
her habits, tastes, or predilections. Profiling for race, ethnicity, or
national origin has caused much public debate in recent years. Tracking
and profiling can destroy anonymity. The lack of clear policy goals and
any flaws in the operation of biometric technology could compound all
these concerns.
Concerns have also been raised about whether certain biometric data
might reveal medical predispositions or personal health histories whose
use could result in denial of insurance coverage or employment. For
example, while not currently viable, the use of DNA matching as a
biometric technology would be of concern because of the personal
medical information that could be gleaned from it.
Not only are there concerns with secondary uses, but there are also
concerns with unauthorized uses. Our recent studies on identity theft
and studies by others reflect the difficulty of accurately measuring
identification theft.[Footnote 33] Developing a large-scale
interoperable system such as a watch list system or issuing visas or
passports with biometrics could increase the risks of identity theft
and other unauthorized uses of personal information if the biometric
data are not properly protected.
Biometrics industry groups, while expressing their appreciation of
privacy concerns, have responded by saying that biometric products are
“privacy neutral” and that it is how they are used that reflects either
privacy invasion or privacy protection. IBG has developed a framework
for defining the potential privacy risks borne by specific biometric
technologies and their deployment. IBIA is also advocating on behalf of
the industry to create responsible use guidelines and public policy.
Industry groups emphasize self-regulation, which some privacy groups
assert is not enough because markets are erratic and because, they say,
the high value placed on data means incentives for violation are too
high. Nonindustry groups have also developed privacy frameworks. The
Internal Revenue Service (IRS) published a guide to developing privacy
impact assessments for information technology. Also, the RAND
Corporation developed a four-step approach for responding to
sociocultural concerns about biometrics. Table 18 combines some of the
salient characteristics of the guidelines IBG, IRS, and RAND developed
and outlines many of the questions to be answered in assessing the
potential effect on privacy from any new biometric system.
Table 18: Summary of Biometric Systems Privacy Guidelines:
Issue: Scope and capabilities; Guideline: Does the system have a
clearly and narrowly defined purpose?; Who will use the system?; Have
potential system capabilities been evaluated?; Has there been an
evaluation of a range of alternative choices, including biometrics?;
What types of information will be available through the biometric?;
Will the biometric information be used as a universal unique
identifier?; Will the storage of biometric information include
extraneous information?; Will the system store the original biometric
data?.
Issue: Data protection; Guideline: Will the system separate biometric
information from other types of personal information?; What procedures
will limit access to the system? Who will have access? Do other systems
or agencies share or have access to data in this system? If data are
being consolidated, what controls protect them from unauthorized access
or use?; How will the system ensure accuracy? What are the sources of
information in the system? How will data collected from other sources
be verified for accuracy?; Will the system derive new data or create
previously unavailable data about an individual through aggregation
from the information collected? Can the system make determinations
about individuals that would not be possible without the new data?; How
long will data be retained in the system? What are the procedures for
eliminating the data at the end of the retention period? While the data
are retained in the system, what are the requirements for determining
whether the data are sufficiently accurate, timely, and complete to
ensure fairness?.
Issue: User protection; Guideline: Will users have the ability to
unenroll?; Will users be able to access and correct their biometric
information?; Will there be procedures for anonymous enrollment?; Will
the system and its use ensure individuals’ equitable treatment? If the
system is operated in more than one site, how will consistent use of
the system and data be maintained?; Will the system be able to
identify, locate, and monitor individuals or groups of people? What
controls will prevent unauthorized monitoring?.
Issue: Disclosure, auditing, accountability, and oversight; Guideline:
Will there be full disclosure of audit data?; Will the system’s purpose
be disclosed? Will the enrollment, verification, and identification
processes be disclosed? Will the names of the individuals and entities
responsible for system operation and oversight be accessible?; Will
users be informed about optional versus mandatory enrollment?; Will a
board or committee assess biometric data policies?; Will third parties
oversee the system? Who will review requests for access to biometric
data? Who ensures that the biometric program is responsive to privacy
concerns?.
Source: GAO summary of data from IBG, IRS, and RAND Corporation.
[End of table]
These guidelines can help decision makers and other stakeholders
approach privacy issues and determine the appropriate balance of
privacy and security to build into the system. However, because there
is no general agreement on the answers to these guidance questions,
further policy decisions are needed. The range of unresolved policy
issues suggests that questions surrounding the use of biometric
technology center as much on management policies as on technical
issues.
Convenience for Travelers:
As previously described, implementing biometrics could lengthen the
process of obtaining travel documents or entering the United States. At
some posts, visas are issued the same day applications are received. If
significant time is required to resolve biometric watch list or visa
database hits, issuing visas could be delayed. At the ports of entry,
in order to avoid long lines of pedestrians and vehicles, each
inspection has to be fast--according to INS officials in El Paso,
Texas, for example, any time longer than 15 seconds would cause
staggering delays. Even so, the busiest ports of entry regularly have
delays of 2 to 3 hours.
Checking the biometric identity of passengers in vehicles is especially
challenging. In a biometric system, would passengers have to exit their
vehicles in order to have their biometrics checked? Any increase in
inspection times could compound delays. Delays inconvenience travelers
and increase their costs. Studies have been conducted on the value of
travel time, and further studies in this area could help determine
whether the increased security could result in fewer visits to the
United States or lost business to the nation.
Economic Impact:
While biometrics-based border control would affect regional economies
and various economic sectors, it is difficult to quantify its effect.
However, we can postulate that the travel and tourism industry might be
adversely affected. Spending by international travelers in the United
States totaled about $103 billion in 2000 and $90 billion in 2001. This
spending is particularly important for California, Florida, and New
York, which together account for more than half of all spending by
international overseas visitors. If a biometric system made it more
difficult to obtain visas for whatever reason, from higher visa fees to
longer time between application and issuance, international travelers
might choose to visit other countries instead. Further, there are
concerns that if fingerprint recognition technology were used, the
number of visitors from countries such as Japan would decrease
dramatically because of those societies’ aversion to fingerprinting.
At the regional level, biometrics could significantly affect trade with
Canada and Mexico, the nation’s largest trade partners, with total
trade amounting to $653 billion in 2000. More than 80 percent of all
Canadian exports are destined for the United States. If biometric
identification checks increased waiting time at land crossings, local
merchants on both sides of the border could lose sales. Biometric
systems might also have a profound effect on Mexico’s maquiladora
industry--the most dynamic sector of the Mexican economy, adding 1,400
new plants and 640,000 new jobs since the 1994 implementation of the
North American Free Trade Agreement (NAFTA).[Footnote 34] U.S.-NAFTA
partner trade is concentrated at a few ports. In 2000, 10 accounted for
73 percent of all North American trade by land. Biometrics-based border
control would have to be implemented carefully at these ports to
preserve the flow of trade.
International Relations:
The use of biometrics in a border control system in the United States
could affect the number of international visitors and how other
countries treat visitors from the United States. Much visa issuance
policy is based on reciprocity--that is, the process for allowing a
country’s citizens to enter the United States would be similar to the
process followed by that country when U.S. citizens travel there. If
the United States requires biometric identifiers when aliens apply for
a visa, other nations may require U.S. citizens to submit a biometric
when applying for a visa to visit their countries. Similarly, if the
United States requires other countries to collect biometrics from their
citizens and store the data with their passport for verification when
they travel here, they may require the United States to place a
biometric in its passports as well.
As more countries require the use of biometrics to cross their borders,
there is a potential for different biometrics to be required for
entering different countries or for the growth of multiple databases of
biometrics. Unless all countries agree on standard biometrics and
standard document formats, a host of biometric scanners might be
required at U.S. and other ports of entry. ICAO plans to standardize
biometric technology for machine-readable travel documents, but
biometric data-sharing arrangements between this country and others
would also be required.
[End of section]
Chapter 6 Summary:
In this report, we have considered a number of leading and emerging
biometric technologies that could potentially be used for securing the
nation’s borders. The seven leading biometric technologies include
facial recognition, fingerprint recognition, hand geometry, iris
recognition, retina recognition, signature recognition, and speaker
recognition. Among the emerging technologies, we considered vein scan,
facial thermography, DNA matching, odor sensing, blood pulse
measurement, skin pattern recognition, nailbed identification, gait
recognition, and ear shape recognition. Our assessment is based on a
snapshot of biometric technologies as they existed in early 2002.
Of the seven leading technologies, fingerprint recognition, facial
recognition, iris recognition, and hand geometry appeared to be
suitable for border security. These technologies could be used to
associate a person’s identity with travel documents and thus deter
fraudulent use of travel documents. Some of these technologies could be
used to check to see whether a person is on a watch list. Of the four
technologies, hand geometry is not very good at identifying one person
in millions and, therefore, is not suitable if we want to search the
biometric database to determine whether a person has previously
enrolled in the database. However, hand geometry can be used to verify
identity in combination with another technology. We found that the
emerging biometric technologies are in various stages of development
and have not yet been used in border control applications.
When it comes to effectiveness, all biometric technologies share a
common characteristic. Every time a biometric feature is captured, it
is always slightly different from the feature that was originally
captured and stored in the system. Also, sometimes the biometric device
cannot capture the biometric feature at all. Thus, all biometric
technologies suffer from three types of error--the failure to capture a
biometric feature, falsely not matching a biometric even though the
person’s biometric is in the system, or falsely matching a biometric.
Each biometric technology has different levels of these errors, and the
errors depend on many different factors, including the operational
environment and security-level setting. For example, it is possible to
trade off the false match and false nonmatch errors against each other.
Thus, the effectiveness of a biometric technology depends on how it is
used in an overall system.
Key Considerations
in Using Biometrics for Border Control:
It is important to recognize that biometric technology would be but one
component of the decision support systems that determine who is allowed
to enter the United States and who is not. As we have described, these
decisions are generally two-step processes. First, a decision must be
made to determine whether or not to issue a traveler a U.S. travel
document. Second, a decision is made at a port of entry on whether to
admit the traveler into the country. While the first step is not always
executed, depending on the nationality of the traveler, all legal
entries into the United States must be through an official port of
entry.
The task of sorting admissible travelers from inadmissible ones is now
conducted by using information systems for checking names against watch
lists and by using human, manual recognition capabilities to determine
whether a photograph on a travel or identification document matches the
person who seeks entry into the United States. The introduction of
biometrics into this process could help automate the identification of
travelers.
In this report, we explored the use of biometrics in two types of
systems. In one system, biometrics can check a person’s face against a
watch list of facial images and provide alerts if there is a potential
match. In another system, the identity of travelers can be verified by
comparing their proffered biometrics (e.g., a fingerprint) against
stored templates that are associated with their travel documents.
We have found that three key considerations must be addressed before a
decision is made to design, develop, and implement biometric
technologies in a border control system:
9. Decisions must be made on how the technology will be used.
10. A detailed cost-benefit analysis must be conducted to determine
that the benefits gained from a system outweigh the costs.
11. A trade-off analysis must be conducted between the increased
security, which the use of biometrics would provide, and the effect on
areas such as privacy and the economy.
As we have described, technology and people each have a role in
executing processes to achieve a goal. Before anything else can be
defined, the high-level goals of a system with biometrics must be
clearly articulated. System goals are based on business or public
policy needs. For example, a goal could be to prevent known
inadmissible people from entering the country. Based on the high-level
goals, a concept of operations can be developed that embodies the
people, process, and technologies to achieve the goals. To put together
the concept of operations, a number of inputs have to be considered,
including legal requirements, existing processes and infrastructure
used, and known technology limitations. Performance requirements should
also be included in the concept of operations. For example, an average
inspection time or an average time to issue a visa could be included as
performance requirements. Any process reengineering that would be
required to accommodate the new technology should also be handled
during this stage. For a biometric system, this could include new
processes to conduct inspection of passengers in vehicles and to
maintain the database of biometric reference templates.
Once the concept of operations is complete, the requirements of the
biometric technology system can be developed and a particular
technology solution can be selected. The system requirements are
derived from the role of the technology system as defined in the
concept of operations. Detailed system requirements should include
functional and performance parameters, interface requirements,
usability requirements, system quality requirements, and security and
privacy issues.
The primary question to be asked when selecting the technology solution
is whether it can support the requirements specified in the concept of
operations and the system requirements. Particular attention must be
paid to error measures, such as the false match rate, false nonmatch
rate, and the failure to enroll rate. Concerns about the
distinctiveness and stability of the technology, as well as its
adherence to industry standards, should also be addressed. Because
biometric technologies have not been used in applications as large as
border control, further research may be required to establish the
distinctiveness and stability of the biometric features.
Distinctiveness has two aspects--how distinct a biometric feature is
across a population and how many different biometric features are
needed to uniquely identify an individual in a given population.
Stability refers to how the biometric features change as a person ages.
It is unclear whether a biometric captured during enrollment will still
be properly matched with an acceptable level of accuracy after 5 years,
for example.
A cost-benefit analysis must be conducted to justify the investment in
a biometric border control system.[Footnote 35] The benefits gained
from a biometric border control system should be based on how well the
system achieves the high-level goals. For example, if a goal of the
system is to prevent known inadmissible people from entering the
country, one of the benefits should be based on an estimate of how many
additional inadmissible people are intercepted or deterred from
entering the country with this system. The performance of the biometric
system measured by its error rates would directly affect the expected
benefit.
All life-cycle costs for the biometric system should be included in the
analysis. The costs of the system include design, development,
implementation, operations, and maintenance costs. Costs associated
with the new business processes needed to use the new system should
also be included, such as the costs of personnel to enroll people in a
biometric system and the office space required to conduct the
operation. Additional people and processes, and their costs, required
as a result of performance limitations of the technology also must be
included.
Finally, a trade-off analysis must be conducted between increasing
security and its effect on areas that are harder to quantify, such as
privacy, convenience, and the economy. Even if the cost-benefit
analysis shows that the benefits outweigh the costs, the effect of
increasing security may affect these areas to such a degree that the
biometric system should not be undertaken.
Complying with the legal requirements for privacy is necessary to
implement the system. Further, a system that does not include adequate
protections for privacy may encounter barriers from users, who may not
accept it during operation. The historical trade-off in any security
system is between security and convenience. If a security system is not
easy to use, people will stop using it. Similarly, if the process to
enter the United States becomes too hard or time-consuming, people may
choose to stop coming. This effect may manifest itself as an economic
impact on the country as retail and trade diminish. Finally, the effect
on the nation’s dealings with other countries and their citizens must
also be considered. International travel involves not only U.S.
citizens but also citizens from other countries. Hardships imposed on
those citizens may result in reciprocal procedures being imposed on our
citizens.
High-Level Analysis of Four Scenarios Using Biometrics:
We defined four different scenarios in which biometrics could be used
in a border control system. We considered each of the key
considerations for the different scenarios. We did not answer the
questions of whether each scenario is cost-beneficial or whether the
gains in security outweigh the effects on privacy and the economy, but
we did describe some of the effects that introducing biometrics into
each scenario would have on people and processes, the benefits to be
gained from the system, and the limitations of biometric technologies.
We also described the effect of these limitations on the benefits and
the effects on privacy, the economy, and international relations.
In addition, we prepared rough order of magnitude costs for each
scenario. As summarized in table 19, initial investments could range
anywhere from less than a hundred million dollars for a watch list
application to billions for biometrics-enabled passports. Many of the
recurring costs would be for the salaries of personnel required to
enroll people and operate and maintain the system.
Table 19: Estimated Costs for Implementing Border Security Scenarios:
Scenario: 1, Watch list check before issuing travel documents; Initial
cost: $53; Annual recurring cost: $73.
Scenario: 2. Watch list check before entering the United States;
Initial cost: 330; Annual recurring cost: 237.
Scenario: 3. Issuing visas with biometrics; Initial cost: 1,399-2,845;
Annual recurring cost: 698-1,482.
Scenario: 4. Issuing passports with biometrics; Initial cost: 4,446-
8,766; Annual recurring cost: 1,555-2,363.
Note: Dollars are in million.
Source: GAO analysis.
[End of table]
These costs have to be weighed against the benefits, which include
reducing the fraudulent use of travel documents and automating the
determination of whether travelers are on a watch list as they arrive
at a port of entry. By binding an individual’s biometric features to a
travel document--either by storing the features on a token, such as a
smart card the traveler carries, or by associating the identity with
the biometric in a central database--the border inspection process
would allow travelers to enter only if the stored biometric matches the
biometric the individual presents at inspection. In a typical watch
list, photographs of undesirable people would be in a watch list of
facial images, and a facial recognition system would automatically
compare the facial image of each traveler with that in the watch list
and identify potential matches. Inspectors can then further investigate
those matches.
While using biometric watch lists and incorporating biometrics into
travel documents could improve border security, the use of biometrics
alone will not prevent the illegal entry of foreign terrorists and
others into the country. For example, biometrics cannot prevent the
illegal entry of those who do not enter through official ports of
entry. Further, even at the legal ports of entry, unless all travelers
are required to have their biometrics checked, it is possible that a
traveler could bypass the biometric check. For example, if U.S.
citizens are not required to enroll their biometrics to travel
internationally and an alien could convince the inspector that he or
she is a U.S. citizen, he or she could avoid the biometric check.
The use of biometric technologies could also have a significant effect
on many different areas, from privacy concerns to the economy. While it
appears that the Privacy Act of 1974 generally covers federal agency
use of personal biometric information, as a practical matter the act is
likely to have a more limited application in the context of border
control because the act includes exemptions for law enforcement and
national security purposes and does not cover nonimmigrant aliens.
Civil liberties groups and privacy experts expressed concern about the
adequacy of protections under current law for the large-scale data
handling in a biometric system. Besides information security, concern
was voiced about an absence of clear criteria for governing data
sharing. Another concern was raised about the potential for secondary
uses of biometric data and what other data would be linked to a
biometric identification; who would have access to such information,
legitimately or otherwise; and how people who can access such data
could use them.
When used in border control, biometric technologies also affect the
economy and international relations. We can postulate that the travel
and tourism industry might be adversely affected, because biometrics-
enabled visas may take longer to issue and may be considered more
trouble than they are worth. Spending by international travelers in the
United States totaled about $103 billion in 2000. At the regional
level, biometrics could significantly affect trade with Canada and
Mexico, the nation’s largest trade partners, with total trade amounting
to $653 billion in 2000. If biometric identification checks result in
increased waiting times at land crossings, local merchants on both
sides of the border could lose sales.
Using biometrics in a border control system in the United States could
affect how other countries treat visitors from the United States. The
reciprocity of visa issuance policy implies that if the United States
requires biometric identifiers when aliens apply for a visa, other
nations may require U.S. citizens to submit a biometric when applying
for a visa to visit their countries. Similarly, if the United States
requires other countries to collect biometrics from their citizens and
store the data with their passports for verification when they travel
to the United States, these countries may require the United States to
place a biometric in its passports as well. As more countries require
the use of biometrics to cross their borders, there is a potential for
different biometrics to be required for entering different countries or
for the growth of multiple databases of biometrics. Unless all
countries agree on standard biometrics and standard document formats, a
host of biometric scanners might be required at U.S. and other ports of
entry.
The Role of Biometrics in Border Security:
To address the role of biometrics in the overall border security
problem and the high-level goals that can be achieved by using
biometrics, a risk-based approach could be used. As we have previously
reported, risk management is the foundation of effective
security.[Footnote 36] The approach to good security is fundamentally
similar, regardless of the assets being protected, whether information
systems security, building security, or homeland security. The answers
to five basic questions can help determine the role of biometrics in a
border security solution:
* What am I protecting?
* Who are my adversaries?
* How am I vulnerable?
* What are my priorities?
* What can I do?
A decision to implement one or more of the scenarios we have defined
and analyzed in this report should be founded on a risk-based approach
that answers these questions. These scenarios are by no means the only
ways to implement biometrics to assist in the border control mission.
Some of these scenarios could be implemented partially, or brand new
scenarios could be used. For example, it could be possible to check
biometrically enabled travel documents only at air ports of entry
instead of at all ports of entry. Some have suggested that only
selected travelers’ biometrics be checked at the ports of entry instead
of all travelers’ biometrics. The selection could be random or based on
travelers who fit a particular description. Another possible
implementation of biometrics is within optional programs similar to
INSPASS, in which travelers voluntarily choose to have their biometrics
enrolled. In such a system, travelers would enroll with the expected
benefit that they would be able to cross into the United States more
quickly. Regardless of the system concept, decisions must be made that
determine how the biometric technology will be used, if the benefits
outweigh the costs, and what the effects on areas such as privacy and
the economy will be. While a partial implementation may be less costly,
the security benefits gained from such a system may also be less.
We have also noted that biometric technologies are not a panacea for
the border security problem. It is important to realize that even with
biometrics, many system dependencies cannot be controlled wholly by a
technological solution. For example, if biometrics are included with
visas, the process will still require establishing a traveler’s initial
identity in the biometric system. Once that identity is established,
the benefits of strongly binding the individual to that identity can be
gained. However, the system depends on the process used initially to
establish that identity--that is, the applicant’s presentation of a
passport from his or her country. If the foreign country does not have
adequate controls over the way it issues passports or, worse,
deliberately issues passports with false identities, an individual
could obtain a U.S. visa with a biometric unless additional processes
are in place to further verify the applicant’s identity. These
processes are not a part of the biometric system but are still
important for border security.
The population of a biometrics-based watch list is also dependent on
nontechnological processes. As we have previously stated, the policies
and procedures governing the population of a biometric watch list are
critical to the success of the program. The success of the program
depends on the effectiveness of the law enforcement and intelligence
community to identify individuals to place on the watch list. People
who are not on the watch list cannot be intercepted when trying to
obtain a travel document or entering the country. Further, biometrics
cannot help in detecting illegal entry into the United States through
other than the official ports of entry. They also cannot help in
detecting aliens who enter the country legally but then overstay the
terms of their visit.
Using a risk-based approach should help in the development of a
biometric system’s high-level goals and its concept of operations. The
answers will help point out the system’s limitations and what it will
not be able to provide. They could also play a role in determining the
appropriate balance between increasing security and cost and
operational considerations as well as the effect on issues such as
privacy and the economy. With these answers, the proper role of
biometric technologies in border security can be determined.
Agency Comments and Our Evaluation:
We provided a draft of this report to the Department of State and the
Department of Justice for their review.
Department of State:
In written comments on a draft of this report, the Department of State
stated that it appreciated the thorough and balanced approach we took
in our assessment of the use of biometrics for border security. State
found the overall thrust of the report to be in keeping with its own
considerations of how biometrics could be used in admitting individuals
to the United States and how it could be integrated into the existing
process for visa and passport applications. State agreed with us on the
need for high-level policy decisions such as defining the specific uses
of biometric data and performing a cost-benefit analysis that weighs
the effectiveness and security benefits of biometrics against costs and
the probable implications or consequences of implementation, including
economic, civil liberty, and foreign policy concerns. State believed
that policy decisions must be made before the successful selection,
execution, and implementation of a border security program involving
biometrics.
State noted that it is developing additional options for the
implementation of a biometric program whose final estimated costs may
differ. State also provided written technical comments on the draft,
which we incorporated as appropriate.
Department of Justice:
In written comments on a draft of this report, the Department of
Justice expressed concern that the report did not (1) properly consider
an overall border security strategy; (2) adequately recognize the draft
NIST certified standards recommendations for biometrics, tamper-
resistant travel documents, or interoperability; or (3) fully explore
the advantages of some biometrics over others. Justice also said that
the draft contained analytical weaknesses related to a misunderstanding
of the false match rate metric and to performance data and levels.
First, on the subject of an overall border security strategy, Justice
explained that it has prepared such a strategy and that the U.S.
government is continuing to consider this strategy. Justice believed
that the implementation of this strategy would require major
improvement in border systems. Further, according to Justice, if the
use of biometrics were limited to visa applicants, who cover only about
3 percent of visitors to the United States, the impact on preventing
the entry of potential terrorists into the country would be
marginalized.
We requested a copy of the strategy from Justice on October 11, 2002,
but as of October 24, 2002, we had not received the strategy document
from Justice. While we did not have the opportunity to review Justice’s
strategy document, we do agree with Justice’s assertion that an overall
border security strategy is needed. Concerning Justice’s point that
visa applicants comprise only 3 percent of visitors to the United
States, it is pertinent to note that limiting the use of biometrics to
visa applicants would still target individuals living among the
countries that are a higher risk of directing terrorism at the United
States. Whether the use of biometrics should be limited to visa
applicants should be based on Justice’s border security strategy. We
have previously stressed the need to develop and implement a homeland
security strategy in coordination with all relevant partners.[Footnote
37] This strategy should be comprehensive and should encompass steps
designed to reduce our vulnerabilities, deter attacks, manage the
effects of any successful attacks, and provide for appropriate
response. The strategy should involve all levels of government, the
private sector, individual citizens both here and abroad, and other
nations. The strategy should also use a risk management approach to
focus finite national resources on areas of greatest need. In this
report, we reiterate the need for a risk-based strategy for the use of
biometric technology in border security.
Second, Justice was concerned that this report presents information
about biometrics that is inconsistent with the results of a NIST study
required by the USA PATRIOT Act. In particular, Justice stated that the
intended application must (1) employ a biometric that is able to
establish and verify a unique identity in a population of hundreds of
millions, (2) be used to run a check against criminal records, and (3)
operate with a very low risk of false positive reads and with a
verification process that is not rendered ineffective in different
border, lighting, and weather conditions.
The results of the NIST study were not available during our technology
assessment. However, we provided a draft of this report to NIST and
received comments from NIST reviewers, which we incorporated, where
appropriate, into the report. Further, we do not see an inconsistency
between our position and Justice’s description of the NIST study
results. We consider these to be examples of items that would be
defined in a concept of operations or a system requirements
specification. The thrust of our report has been to point out the
possibilities and not to select a specific biometric for border
security--primarily because the selection comes after the concept of
operations and requirements is developed. The requirements Justice
described are what the department, with NIST’s assistance, is defining
as the requirements for a biometrics border control system.
Third, Justice stated that there are certain advantages to using
fingerprints over other biometrics. For example, Justice cited the
requirement in the Immigration and Nationality Act for aliens to be
registered and fingerprinted, unless waived at the discretion of the
Secretary of State. Justice further cited the law enforcement value of
using fingerprint recognition for biometric identification on a large
scale. Justice stated that unlike other biometric data, fingerprints
are left at crime scenes. Further, Justice stated that we do not
consider that the use of fingerprints would allow for a search against
records stored in IAFIS to check for criminal history.
We acknowledge the qualities of fingerprint recognition raised by
Justice. However, as we have described, the additional benefits Justice
described should be included in the cost-benefit analysis that weighs
the security benefits gained from a biometrics border control system
against the costs of building the system. A benefits assessment should
be based on how well the system achieves the high-level goals defined
for the system. For example, if the ability to collect biometric
samples at crime scenes is a requirement, it should be factored into
the goals and requirements definition of the system. An evaluation of
the technologies against the requirements would then show that
fingerprint recognition is the only technology that can meet that
particular requirement.
Justice also believed that the draft report contained analytical
weaknesses related to an insufficient analysis of large systems, misuse
of performance metrics, and the reporting of performance data.
Specifically, Justice stated that the draft did not provide sufficient
analysis of large systems and did not define and use the false match
rate metric correctly. Justice pointed out that the report provided
incorrect performance data on IAFIS. Justice further cited the problem
of having to manually resolve false matches and how the size of the
database affects the number of false matches.
In the report, we state that none of the biometric technologies have
been used with databases containing hundreds of millions of
individuals. We have clarified the definition of false match rate and,
on the basis of written technical comments provided by Justice, we have
incorporated the performance data on IAFIS. We acknowledge Justice’s
point of having to manually resolve false matches. We state in the
report that the performance of the biometric technology and its effect
on people and processes are important in the selection of the
technology. We also describe the potential effects of poorly performing
biometrics on the border control process.
Finally, Justice stated that the “draft report infers that any move
toward biometrics be made slowly and cautiously.” Justice agreed that
it is important to proceed judiciously but pointed out the sense of
congressional urgency raised in the USA PATRIOT Act and the Enhanced
Border Security and Visa Entry Reform Act.
We appreciate the urgency in developing a biometric system for border
security, but a timely decision to invest in such a system should still
be made in accordance with applicable federal regulations and best
practices for acquiring information technology systems.
Justice also provided written technical comments on the draft, which we
incorporated as appropriate. We have included Justice’s comments in
their entirety in appendix VIII.
External Reviewers’ Comments:
We provided a draft of this report to 16 different organizations for
their review. Individuals from these organizations were selected
because of their assistance during the data collection phase of our
work. In addition, several of them attended one of our two biometric
and border security meetings, convened for us by the National Academy
of Sciences. The reviewers represented government, industry, and
academia. We received comments and suggestions from 10 reviewers. The
comments ranged from correcting technical inaccuracies to highlighting
certain aspects of the assessment that the reviewers considered
important.
Several reviewers commended us for putting together such a thorough
report in a short time. One reviewer said that the report contains a
wealth of information that will be useful to all biometric
practitioners and researchers. Another reviewer noted that we have been
able to successfully develop a cohesive report despite the difficulties
associated with the wide variety of information available from vendors
and studies. A reviewer felt that this will be a milestone report--head
and shoulders above any other report on biometrics for border security.
In their comments, several reviewers cited their agreement with
specific findings in our report, particularly with the limitations of
biometric technologies in helping to secure the nation’s borders.
Specifically, reviewers agreed that biometric technologies are not a
panacea for the border security problem and that they are just one
component of the decision support systems that determine who is allowed
to enter the United States and who is not. Further, reviewers agreed
that biometrics cannot necessarily link a person to his or her true
identity, although it can bind an individual to a single identity
within a system. One reviewer concurred with the report’s point about
the difficulty in quantifying the benefits of security improvements.
Regarding the accuracy of a biometrics system, reviewers were concerned
that we had not clearly defined and used FMR and FNMR as performance
metrics. Reviewers also mentioned that we should not always equate FMR
to false accept rate and FNMR to false reject rate. Similarly,
reviewers were concerned that we did not separate out the results of
larger tests involving many enrolled individuals from smaller ones and
that in tabulating the performance of the biometric technologies, we
had mixed results from verification and identification into the same
table.
On the basis of these comments, we clarified the definitions of FMR and
FNMR, highlighted how the same technology can have different
performance requirements for verification and identification, and
selected comparable test results when summarizing the performances of
the biometric technologies in a table.
Reviewers commented on our conclusion that hand geometry was not
suitable for border control, pointing to its current use in border
control applications. We had ruled out hand geometry for border control
because it is not distinctive enough to perform identification matches
when checking watch lists or for duplicate enrollment. Reviewers
explained that for issuing visas or passports with biometrics, a more
distinctive biometric such as fingerprint could be used for the
duplicate enrollment check, whereas a simpler biometric such as hand
geometry could be used when performing one-to-one verification at ports
of entry. We incorporated this idea into our report so that hand
geometry is now listed as a viable technology for border security.
On the subject of biometric standards, reviewers commented that in
order to avoid being tied to a vendor’s proprietary biometric template
format, any biometric system has to store the original biometric
images. Reviewers also suggested that we include ANSI’s Biometric
Information Management and Security (ANSI X9.84-2001) standard in the
report and the AAMVA driver’s license standard that includes
biometrics. Reviewers also stated we should mention the ongoing
biometric standards activities of the InterNational Committee for
Information Technology Standards Technical Committee M1, Biometrics,
which was established in November 2001. We incorporated these
suggestions into the report.
Some reviewers expressed concern that using biometrics as suggested in
the scenarios would be ineffective in preventing terrorists from
entering the United States. Some reviewers believed that the report
needs to better emphasize the limitations and operational concerns
associated with biometrics. For example, reviewers suggested that we
highlight the fact that adding biometrics to a travel document can bind
only a person’s claimed identity to the document. Additionally, the
claimed identity is only as good as the credentials that a person uses
to claim that identity. They also mentioned that biometric systems are
not perfect and that operational procedures must address weaknesses in
any system implementation.
We state that the goals of any biometric system for border security
need to be defined before any decision to design, develop, and
implement it. We describe a risk-based approach to security that can
help with the definition of goals. Part of this approach is an
identification of adversaries and threats. Regardless of whether
terrorists are considered the only adversary to border security, a
vulnerability analysis is required to determine how an adversary can
illegally enter the country. As we state in the report, biometric
technologies are not a panacea for border security problems. Technology
and people must work together to execute border security processes. As
reviewers have pointed out, increasing security at the ports of entry
does not address problems with people illegally crossing into the
United States at points other than official ports of entry. Biometric
technologies can only help support a single task, the binding of an
identity to an individual. Numerous other technologies and people are
needed to support other border security processes that, together as a
whole, protect the border. We have further adjusted the report, where
appropriate, to make this point clear.
Reviewers commented that our report does not take a sufficiently
forward-looking approach to the civil liberties problems. The reviewers
believed that the report appears to downplay significant issues with
the effectiveness of biometric technologies and the significant civil
liberties issues surrounding the use of biometrics for border control.
These reviewers suggested that civil liberties issues need to be better
addressed, including the potential for unauthorized access to data,
abuse by those with authorized access, bad data in the system, the
consequences of false matches on individuals, the need for greater
transparency, and the dangers of racial or other profiling.
In the report, we summarize guidelines for addressing privacy in
biometric systems. Similar to the need to define the security goals of
a biometric border control system, there is a need to define the
privacy requirements for the system. The guidelines can help decision
makers develop a policy consensus on the amount of privacy to build
into such a system. As we point out, many of the issues surrounding the
implementation of privacy are not technical issues. Instead, they
surround the management policies governing the use of the technology
and the information generated by such a system.
We also received numerous technical comments on topics such as the
specific enrollment numbers for biometric applications, template sizes,
the maturity of new technologies, and equipment costs. We have
incorporated these comments, where appropriate, in the report.
[End of section]
Appendix I Our Technology Assessment Methodology:
The objectives of this technology assessment were to:
12. Identify biometric technologies currently deployed, currently
available but not yet deployed, or in development that could be
deployed in the foreseeable future for use in securing the nation’s
borders.
13. Determine how effective these technologies are for helping provide
security to our borders currently or are likely to be in the future.
14. Determine the economic and effectiveness trade-offs of implementing
these technologies.
15. Identify the implications of biometric technologies for personal
security and the preservation of individual liberties.
To identify and describe biometric technologies, we convened, with the
assistance of the National Academy of Sciences (NAS), two meetings on
biometrics and border control issues, which included manufacturers of
facial, fingerprint, and iris recognition and hand geometry
technologies.[Footnote 38] The meetings also included informed
representatives from academia, government, and industry groups; privacy
and civil liberty advocates; and other stakeholders such as
representatives of border communities and trade organizations. We
interviewed manufacturers of biometric technologies and reviewed their
publications to obtain descriptive information about their equipment.
We interviewed officials from biometric industry organizations,
including the Biometric Consortium and the Biometric Foundation. We
also interviewed the consulting firm the International Biometric Group
(IBG). We attended the biometrics session of the International
Industrial Security Conference, where technologies were demonstrated,
and we discussed various aspects of the technologies with industry
representatives.
To identify the current deployment of biometric technologies, we
conducted a literature search and reviewed reports of deployments,
tests, and pilots of biometric technologies. We interviewed certain
users of biometric technologies, including the Federal Bureau of
Investigation (FBI), Immigration and Naturalization Service (INS),
National Security Agency (NSA), National Institute of Standards and
Technology (NIST), the Department of State, and the Canada Customs and
Revenue Agency.
To determine how effective the technologies would be in helping to
secure the nation’s borders, we needed to understand the current border
security environment. We reviewed relevant statutes and regulations and
interviewed State Department and INS officials at headquarters and INS
officials at three ports of entry: El Paso, Texas (land); Miami,
Florida (air and sea); and Niagara Falls, New York (land). We reviewed
and analyzed statistics from INS’s Performance Analysis System for
fiscal year 2001.
To determine the effectiveness of biometric technologies, we reviewed
test documentation from academic, government, and industry sources. In
particular, we interviewed and reviewed documentation from the
Department of Defense (DOD), Federal Aviation Administration (FAA),
INS, NIST, Sandia National Laboratories, the State Department, the
United Kingdom’s National Physical Laboratory (NPL), and IBG.
To determine the economic and effectiveness trade-offs of implementing
biometric technologies, we identified four different scenarios for
implementing them and built cost models to obtain life-cycle costs for
each scenario. The cost models represent rough order of magnitude costs
and are based on DOD’s cost element structure for major automated
information systems. To build the cost models, we used data provided by
the FBI, IBG, Naval Center for Cost Analysis, State Department, and
various vendors. We reviewed the cost model and assumptions associated
with each model with IBG and the State Department and incorporated
their feedback where appropriate.
In addition, we performed uncertainty analysis on the cost models,
using a Monte Carlo simulation tool called Crystal Ball to analyze the
effects of varying inputs and outputs of the modeled scenarios. This
allowed us to try multiple what-if scenarios with our spreadsheet cost
model values and cells. We used the results of this analysis to provide
a probability value for our point estimates, as well as to provide a
risk-adjusted life-cycle cost estimate for each scenario. Crystal Ball
examines the degree of risk in forecasts by using Monte Carlo
simulation techniques that forecast all statistically possible results
for a given situation. We applied a probability distribution to each
parameter that we thought could vary, such as the costs for development
and installation, annual operating personnel, and additional square
feet in embassy or consular facilities. Then, Crystal Ball generated
random values for each cell, according to the parameters we chose to
represent the risk. The software displayed the distribution of results,
showing the highest, lowest, and most likely values.
We analyzed the benefits of each scenario and described the effects on
people and processes, based on our understanding of the technology and
current border control processes.
To determine the implications of biometric technologies, we reviewed
relevant statutes and regulations and interviewed officials from
privacy and civil liberty groups. We also heard from representatives of
these groups at our meetings convened by NAS. We met with the Greater
El Paso Chamber of Commerce to obtain its thoughts on the introduction
of biometrics and the potential economic effect in the El Paso area. We
reviewed data from the Department of Commerce and Department of
Transportation to determine the potential economic effect of
implementing biometrics.
We provided a draft of this report to the Department of State and
Department of Justice for their review. We include their comments in
appendixes VII and VIII, respectively. In addition, we provided a draft
of this report to selected attendees of the two meetings NAS convened
for this work and other interested organizations.
Three recognized independent external reviewers reviewed our process
for conducting our work. In addition to providing a sound analysis of
this assessment, the reviewers made recommendations for improving and
enhancing future assessments should the Congress ask us to do more in
the future.
We conducted our work from March to October 2002 in Washington, D.C.;
Clarksburg, West Virginia; El Paso, Texas; New York, New York; Niagara
Falls, New York; Miami, Florida; and Philadelphia, Pennsylvania. We
performed our work in accordance with generally accepted government
auditing standards.
[End of section]
Appendix II Fingerprint Recognition Technology:
Fingerprint identification has two basic premises. The basic
characteristics of fingerprints do not change with time--persistence--
and each person’s fingerprints are unique--individuality. Scientific
studies in the mid-1800s established the persistence of friction ridge
patterns on human fingers, beginning in the embryonic stage and
extending throughout life, except for accidental damage.
Manual inspection of millions of fingerprints has led to the widely
accepted notion of fingerprint individuality. However, it has not been
formally established by scientific means that a person’s fingerprints
are unique. Because it is impossible to obtain the fingerprints of
every person in the world, estimating fingerprint individuality
requires statistical methods to project the probability that two people
will have the same fingerprint. The FBI’s Integrated Automated
Fingerprint Identification System (IAFIS) is the largest biometric
database in the world with its 400 million fingerprints. Although the
FBI has never discovered matching fingerprints from two individuals,
tests have not been performed to conclusively verify that the
fingerprints in IAFIS are unique.
In response to the need for a study to rigorously test the scientific
basis of fingerprint individuality, the National Institute of Justice
issued a formal solicitation in March 2000 for “Forensic Friction Ridge
(Fingerprint) Examination Validation Studies.” The objectives were
basic research to measure the amount of detail in a single fingerprint
that can be used for comparison and the amount of similar detail
between two separate fingerprints.
Fingerprint identification has been used in law enforcement over the
past hundred years and has become the de facto international standard
for positively identifying individuals. The FBI has been using
fingerprint identification since 1928. The first fingerprint
recognition systems were used in law enforcement about four decades
ago. Advances in optical scanning technology since the 1980s have made
the technology practical for noncriminal applications. Figures 26
through 28 illustrate some current applications of fingerprint
recognition technology.
Figure 26: Using Fingerprint Biometrics for Physical Access:
Source: National Coordination Office for Information Technology
Research and Development.
[See PDF for image]
[End of figure]
Figure 27: Using Fingerprint Biometrics for Logical Access:
Source: Identix Incorporated.
[See PDF for image]
[End of figure]
Figure 28: A Fingerprint Biometric Device for Personal Identification:
Source: Sagem Morpho Inc.
[See PDF for image]
[End of figure]
The use of fingerprints for forensic evidence was challenged recently.
In 1999, the defense in U.S. v. Mitchell pointed to the Daubert
Opinion, established in a 1993 U.S. Supreme Court case, that prompted
the scientific community to address questions about the reliability and
validity of certain types of evidence, such as whether the evidence has
been adequately tested, what its error rate is, and whether there are
standards for what constitutes a fingerprint match.[Footnote 39] The
U.S. Court of Appeals in U.S. v. Mitchell held that fingerprinting
meets the necessary criteria for admissibility as evidence. More
recently, in January 2002, in U.S. v. Llera Plaza, the judge refused to
allow fingerprint experts to express an opinion that a particular
latent print matched or did not match the rolled print of a particular
person.[Footnote 40] However, in March 2002, the judge reversed himself
and concluded that the court’s use of expert fingerprint identification
testimony, subject to careful trial court oversight, could be allowed.
How the Technology Works:
Fingerprint recognition technology uses the impressions made by the
unique ridge formations or patterns found on the fingertips.[Footnote
41] The technology uses two main types of fingerprints: flat and
rolled. A flat fingerprint is obtained by pressing the finger flat
against the scanner, capturing an impression of the central area
between the fingertip and the first knuckle. A rolled fingerprint is
obtained by rolling the finger from one edge of the fingernail across
to the other, capturing an impression of the side ridges as well. A
flat fingerprint is quicker to capture, but a rolled fingerprint can
provide up to 50 percent more surface area for future comparisons.
Whether flat or rolled, the image of the fingerprint is commonly
captured by a scanner based on optical, silicon, or ultrasound
technology. Optical technology is the oldest and most widely used; it
requires that the finger be placed on a coated platen, typically made
of hard plastic. In most devices, a charged coupled device converts the
image, with dark ridges and light valleys, into a digital signal. The
brightness is adjusted automatically or manually to produce a usable
image. Although most companies use optical technology, the trend is
toward silicon.
One type of silicon technology is based on capacitance, where the
silicon sensor typically acts as one plate of a capacitor and the
finger is the other. The capacitance between the platen and the finger
is converted into an 8 bit gray-scale digital image. Although
ultrasound technology is potentially more accurate than either optical
or silicon, its performance has not been assessed in widespread use. It
captures the fingerprint by transmitting acoustic waves and measuring
the distance by the impedance of the finger, the platen, and air.
After a fingerprint image has been captured, it is enhanced to reduce
image noise, formed when a fingerprint is converted into a digital
image; the noise distorts the image, generally as repetitive patterns
or random dots. A fingerprint image is one of the noisiest of image
types, predominantly because fingertips become dirty, cut, scarred,
creased, dry, wet, and worn. Image enhancement reduces this noise and
enhances the definition of ridges and valleys. To allow for precise
locations of ridge features, ridges are thinned from an original width
of 5 to 8 pixels down to 1 pixel.
For a gray-scale image, areas lighter than a set threshold may be
discarded, while darker areas may be made black. Image enhancement is
relatively time consuming, since a 500 x 500 pixel fingerprint image
has 250,000 pixels and each pixel is enhanced. Consequently, many
fingerprint systems are designed to limit enhancement operations at
this stage in order to reach a match result quickly, trading faster
match time for poorer image quality.
Following image enhancement, several steps are required to convert a
fingerprint’s unique features into a template. Known as feature
extraction, this is the basis of fingerprint recognition technology and
the various vendors’ proprietary algorithms. We discuss the different
algorithms below. In none of these methods is the template a full
fingerprint image, and a real fingerprint cannot be recovered from the
digitized template. The generated template ranges from 250 bytes for
minutiae-based templates to about 1,000 bytes for ridge-pattern-based
templates.
Minutiae-Based Templates:
Approximately 80 percent of fingerprint recognition vendors base their
algorithms on minutiae points, or the breaks in fingertip ridges. A
typical fingerprint image may produce between 15 and 50 minutiae,
depending on the portion of the image captured. As shown in figure 29,
the most basic minutiae are ridge endings (where a ridge ends) and
bifurcations (where a single ridge divides into two).
Figure 29: Common Fingerprint Features:
Source: GAO adaptation of FBI data.
[See PDF for image]
[End of figure]
Before minutiae can be identified, an algorithm must search the
processed fingerprint image and filter out distortions and false
minutiae. False minutiae can be caused by scars, sweat, or dirt and
often create anomalies that can typically be detected. For instance,
minutiae that seem out of place could include two ridge endings on a
very short isolated line; the line would probably stem from image
noise. Similarly, endings at the boundary of the fingerprint would be
eliminated because they are not true endings but, rather, the edge of
the image captured by the scanning device. A large percentage of
minutiae candidates are discarded this way.
Once the minutiae are identified, their locations are usually set on an
x,y axis and their angles are measured (typically by the direction of a
ridge or valley ending). For each established minutiae point,
neighboring minutiae and the number of ridges in between are recorded.
The result of this stage is a minutiae template of the fingerprint.
Because of differences in the determination, placement, and analysis of
minutiae points, no two algorithms can be expected to yield the same
template from a given fingerprint.
In a verification system, templates are usually matched by comparing
the neighborhoods of nearby minutiae for similarity. If a comparison
indicates only small differences, the neighborhoods are said to match.
Comparisons are performed exhaustively for all combinations of
neighborhoods, and if enough similarities are found, the fingerprints
are said to match. One result of this verification stage is a match
score, usually a number between 0 and 1 (or 10 or 100). Higher values
in the range indicate higher confidence in a match, and the match score
is measured against a predetermined threshold. If the score is greater
than the threshold, the match result is said to be true. The threshold
can be lowered to reduce the number of false nonmatches, but the trade-
off is a greater number of false matches. Some systems score the
difference between two templates, in which case a lower score is
considered a match.
In an identification system, which compares a trial fingerprint
template to an entire database, the verification technique described
above would be impractical. Making comparisons to every fingerprint in
the database by neighborhoods would lengthen computation time
extensively. Instead, a two-step process is typically used for 1:N
matching. First, to provide an indexing method, the trial fingerprint
and the reference template in the database are categorized according to
an established fingerprint type (such as the plain arch, loop, or plain
whorl shown in figure 30). This step is called binning, in which a
pattern comparison quickly eliminates the bulk of the nonmatches. Care
must be taken in binning. Errors in assigning images to bin categories
increase the likelihood of a false nonmatch.
Figure 30: Established Fingerprint Types:
Source: FBI
[See PDF for image]
[End of figure]
In the second step for 1:N matching in identification, the trial
template is compared by minutiae neighborhood to each reference
template that closely matches the trial template pattern.
Ridge-Pattern-Based Templates:
In matching ridge patterns, data are extrapolated from a particular
series of ridges, to be used in enrollment for the basis of future
comparisons. The ridge series are chosen so as to maximize the amount
of unique information that is recorded--for example, those with an
unusual ridge combination. At verification, a segment of the same area
must be found and compared. The match result contains information on
how well the stored images fit the verification image. This information
is measured against a threshold to determine whether the match result
is true.
The Leading Vendors:
Fingerprint recognition technology companies number more than 75. There
are more fingerprint recognition vendors than for all other biometrics
combined. Some of the leading companies are listed in table 20.
Table 20: Leading Vendors of Fingerprint Recognition Biometrics:
Vendor: ActivCard; Scanner for image capture: Optical: X; Scanner for
image capture: Silicon: [Empty]; Scanner for image capture: Ultrasound:
[Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Astro Datensysteme AG; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: AuthenTec Inc.; Scanner for image capture: Optical: [Empty];
Scanner for image capture: Silicon: X; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Bergdata Biometrics GmbH; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: BIO-key International; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: [Empty]; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]: X.
Vendor: BioLink Technologies International Inc.; Scanner for image
capture: Optical: X; Scanner for image capture: Silicon: [Empty];
Scanner for image capture: Ultrasound: [Empty]; Scanner for image
capture: Other[A]: [Empty].
Vendor: Biometric Access Corporation; Scanner for image capture:
Optical: X; Scanner for image capture: Silicon: [Empty]; Scanner for
image capture: Ultrasound: [Empty]; Scanner for image capture:
Other[A]: [Empty].
Vendor: Bioscrypt Inc.; Scanner for image capture: Optical: X; Scanner
for image capture: Silicon: X; Scanner for image capture: Ultrasound:
[Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Cogent Systems Inc.; Scanner for image capture: Optical: X;
Scanner for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Cross Match Technologies Inc.; Scanner for image capture:
Optical: X; Scanner for image capture: Silicon: [Empty]; Scanner for
image capture: Ultrasound: [Empty]; Scanner for image capture:
Other[A]: [Empty].
Vendor: Delsy; Scanner for image capture: Optical: [Empty]; Scanner for
image capture: Silicon: X; Scanner for image capture: Ultrasound:
[Empty]; Scanner for image capture: Other[A]: X.
Vendor: DigitalPersona Inc.; Scanner for image capture: Optical: X;
Scanner for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Ethentica; Scanner for image capture: Optical: [Empty]; Scanner
for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: X.
Vendor: Fingerprint Cards AB; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: Identix Inc.; Scanner for image capture: Optical: X; Scanner
for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Infineon Technologies AG; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: Polaroid Corp.; Scanner for image capture: Optical: X; Scanner
for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Precise Biometrics; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: SAGEM Morpho Inc.; Scanner for image capture: Optical: X;
Scanner for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: SecuGen Corp.; Scanner for image capture: Optical: X; Scanner
for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Siemens AG; Scanner for image capture: Optical: [Empty];
Scanner for image capture: Silicon: X; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Sony Corp.; Scanner for image capture: Optical: X; Scanner for
image capture: Silicon: X; Scanner for image capture: Ultrasound:
[Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: STMicroelectronics; Scanner for image capture: Optical:
[Empty]; Scanner for image capture: Silicon: X; Scanner for image
capture: Ultrasound: [Empty]; Scanner for image capture: Other[A]:
[Empty].
Vendor: Thales; Scanner for image capture: Optical: [Empty]; Scanner
for image capture: Silicon: X; Scanner for image capture: Ultrasound:
[Empty]; Scanner for image capture: Other[A]: [Empty].
Vendor: Ultra-Scan Corp.; Scanner for image capture: Optical: [Empty];
Scanner for image capture: Silicon: [Empty]; Scanner for image capture:
Ultrasound: X; Scanner for image capture: Other[A]: [Empty].
Vendor: Veridicom Inc.; Scanner for image capture: Optical: [Empty];
Scanner for image capture: Silicon: X; Scanner for image capture:
Ultrasound: [Empty]; Scanner for image capture: Other[A]: [Empty].
[A] Includes middleware and emerging scan technologies that use polymer
or fiber optic readers.
Source: GAO analysis of vendor data.
[End of table]
The Cost of Devices:
Fingerprint readers designed for physical access control range from
about $1,000 to $3,000 per unit. Software licenses for the fingerprint
technology are about $4 per user enrolled. For smaller fingerprint
scanners, maintenance costs are between 15 percent and 18 percent of
cost. A live scan 10-print fingerprint reader costs about $25,000. The
maintenance cost of the larger machines is approximately 14 percent of
the cost of the reader.
Performance Issues:
Although fingerprints are stable physiological characteristics, daily
wear can cause the performance of some fingerprint recognition
technologies to drop drastically. Although high-quality enrollment
improves long-term performance, the fingerprints of about 2 to 5
percent of people cannot be captured because the fingerprints are dirty
or have become dry or worn from age, extensive manual labor, or
exposure to corrosive chemicals. Also, IBG’s comparative biometric
testing has shown that certain ethnic and demographic groups (elderly
populations, manual laborers, and some Asian populations) have
fingerprints that are more difficult to capture than others’.
Optical and silicon scanning technologies have unique performance
issues. Scanning fingerprints optically can be prone to error if the
platen has a buildup of dirt, grime, or oil--producing leftover
fingerprints from previous users, known as latent prints. Severe latent
prints can cause the superimposition of two sets of prints and image
degradation. Although silicon scanners generally produce a higher-
quality image, high-quality fingerprint capture is more difficult
because the sensor size is smaller than that used in optical scanners.
Ultrasound scanning technology is designed to penetrate the dirt and
residue on platens.
Optical and silicon scanners using minutiae-based and pattern-matching
technologies have been tricked into accepting reactivated latent prints
or artificial fingers with forged fingerprints. Latent fingerprints
were reactivated by simply breathing on the sensor or by placing a
water-filled plastic bag on the sensor’s surface. Latent fingerprints
could also be reconstructed and authenticated by dusting the sensor’s
platen with commercially available graphite powder and lifting with
adhesive tape. Artificial fingers made with candle wax or gelatin and
the fingerprints of enrolled individuals have also successfully fooled
the system.
User Acceptance:
Because law enforcement agencies identify criminals with fingerprints,
the recognition technology’s similarity to forensic fingerprinting
causes some percentage of users discomfort. Privacy advocates fear that
fingerprint recognition systems may collect data for one purpose but
then use the data for other purposes, such as in forensic applications
or for tracking people’s activities. Also, people may have hygiene
issues with touching the plate of a scanner that many people have
touched.
The Technology’s Maturity:
Operational Uses:
The FBI’s IAFIS is an automated 10-fingerprint matching system that
relies on rolled fingerprints. The more than 40 million records in its
criminal master file are connected electronically with all 50 states
and some federal agencies. IAFIS was designed to handle a large volume
of fingerprint checks against a large database of fingerprints. It
processes, on average, approximately 48,000 fingerprints per day and
has processed as many as 82,000 in a single day. IAFIS’s target
response time for criminal fingerprints submitted electronically is 2
hours; for civilian fingerprint background checks, 24 hours. According
to FBI data from August 2002, the majority of criminal fingerprints
were answered in less than 7 minutes and the majority of civilian
fingerprints were answered in less than 4 minutes; 88.2 percent of
criminal prints and 66.1 percent of civilian prints were completed in
less than 2 hours. For fingerprint submissions in paper-card format,
the response time is 3 days between receipt and mailed-back response.
The FBI claims that IAFIS has a false match rate (FMR) of about 1.5 x
10-12 with a false nonmatch rate (FNMR) of about 1.5 to 2.0 percent.
The failure to enroll rate (FTER) is about 0.5 percent for criminal
searches and about 2.5 percent for civilian background searches.
INS began developing the Automated Biometric Fingerprint Identification
System (IDENT) around 1990 to identify illegal aliens who are
repeatedly apprehended trying to enter the United States illegally.
INS’s goal was to enroll virtually all apprehended aliens. IDENT can
also identify aliens who have outstanding warrants or who have been
deported. When such aliens are apprehended, a photograph and two index
fingerprints are captured electronically and queried against three
databases (see figure 31). One database stores the fingerprints and
photographs of approximately 300,000 aliens INS has previously
apprehended; it tracks the number of apprehensions. The second database
stores the fingerprints and photographs of approximately 240,000
criminal aliens convicted of an aggravated felony, among other
criteria. The third database stores the fingerprints and photographs of
more than 4 million illegal aliens who were apprehended, enrolled in
IDENT, and then permitted to voluntarily depart the United States or to
withdraw their applications for admission at ports of entry. The
fingerprint query of the three databases normally takes 2 minutes. In
March 2002, the FMRs for the four fingerprint search types were 4.05
percent for flat to flat, 2.60 percent for flat to roll, 0.70 percent
for roll to roll, and 1.19 percent for roll to flat.
Figure 31: An IDENT Workstation:
Source: INS.
[See PDF for image]
[End of figure]
A number of states (including Arizona, California, Connecticut,
Illinois, Massachusetts, New Jersey, New York, and Texas) require
applicants for welfare benefits to submit their fingerprints in order
to eliminate duplicate participation and to deter fraud. The first
social service fingerprint recognition system in the nation was the Los
Angeles County Automated Fingerprint Image Reporting and Match system,
which enrolled 311,000 clients between 1992 and 1995. On the basis of a
study group of 24,000 fingerprint recipients, it was determined that
about 7 percent of the cases on the benefit rolls in Los Angeles were
multiple identities. As of January 2001, this was the only substantial
finding of multiple identity fraud in any of the various state welfare
fingerprint programs.
Since January 31, 2002, immigrants seeking asylum in the United Kingdom
are issued an application registration card to allow for quick and
positive identification of all asylum applicants. The smart cards,
manufactured by SAGEM Morpho Inc., store two fingerprint templates on a
memory chip. An extension of the Immigration and Asylum Fingerprint
System (IAFS), they are intended to prevent fraudulent behavior, such
as impersonations to avoid removal or to make false benefits claims.
The United Kingdom plans to adopt the Eurodac Convention and Protocol,
which assists European Union members in applying the provisions of the
Dublin Convention, a framework for ensuring that an asylum claim is
heard within the European Union only once. Once the United Kingdom has
adopted the Eurodac Convention and Protocol, British IAFS fingerprint
data will be transmitted electronically to a central database,
accessible to other members for fingerprint comparisons. The data will
be retained for 10 years, with the exception of fingerprints from
asylum seekers who are granted citizenship by European Union members.
The prints of these new citizens will be immediately erased.
Pilots:
FAA Fingerprint Recognition Testing:
In 2001, FAA conducted operational testing of a fingerprint recognition
reader for access control by different groups of people in various
operating environments. Following the test, the biometric system was
removed. Enrolling users in the fingerprint reader system took an
average of 3 minutes and 30 seconds. Two of 38 users were unable to
enroll because of the poor quality of their fingerprints. Passing
through the door took about 10 seconds using fingerprint recognition,
compared to an average of about 2 seconds before the device was
installed. Performance rates varied at the three different security-
level thresholds tested. The FNMR ranged from about 6 percent to about
17 percent for closely controlled test subjects. For actual airport
employees using the door in a less controlled environment, the FNMR
ranged from about 18 percent to about 36 percent. The FMR ranged from 0
percent at the highest security level to approximately 8 percent at the
lowest security level.
O’Hare International Airport, Chicago:
In 1998, FAA funded an operational test at Chicago’s O’Hare
International Airport involving smart cards and fingerprint recognition
identification devices to screen employees of motor carrier and air
cargo companies at access control points to cargo areas. Truck drivers
were instructed to insert a smart card into the smart card reader and
to confirm their identity by placing the enrolled fingers on the
fingerprint reader.[Footnote 42] Fingerprints were chosen over other
biometrics because of the users’ operational requirements, the
perception that fingerprint recognition was one of the least intrusive
technologies, and the results from a 1997 study that determined that
fingerprints could be used in a variety of applications in the trucking
industry.
Because all users’ verification attempts were voluntary, only some of
the users who were initially rejected by the system chose to try again.
For 65 users, the first-try FNMR was 28 percent. Of the seven users who
chose to try again, 71 percent successfully accessed the system. If all
rejected users had retried with this rate of success, only 8 percent of
the users would have been rejected after two tries.[Footnote 43]
Testing of impostors’ fingerprints against the operational database was
not performed, so an FMR could not be obtained for the O’Hare
databases.
Tests:
Fingerprint Verification Competition 2000:
The Fingerprint Verification Competition 2000 (FVC 2000) tested
relative technology performance in a one-to-many application and was
not intended to predict performance of fingerprint recognition
technology in a real environment. Eleven algorithms were submitted,
seven from academic groups and four from companies (one from Ditto
Information & Technology Inc., one from FingerPin AG, and two from
SAGEM Morpho Inc.). Three databases in this competition were acquired
in a laboratory environment, using a variety of sensors (both optical
and silicon), while the fourth contained synthetically generated
images. Enrollment time averaged 0.20 to 10.42 seconds, 10 of the
algorithms requiring no more than 3.18 seconds. Matching time averaged
0.20 to 2.67 seconds, 9 of the algorithms requiring no more than 1.58
seconds. The most accurate algorithm had an average equal error rate
(EER) of 1.73 percent, while the least accurate algorithm had an
average EER of 47.84 percent. These data are depicted in table 21.
Table 21: Summary of Results from the Fingerprint Verification
Competition 2000:
Participant: SAGEM SA, France (Algorithm 1); Type: Company; Average
EER: 1.73%; Average enroll time: 3.18; Average match time: 1.22.
Participant: SAGEM SA, France (Algorithm 2); Type: Company; Average
EER: 2.28; Average enroll time: 1.11; Average match time: 1.11.
Participant: Centre for Signal Processing, Nanyang Technological
University, Singapore; Type: Academic; Average EER: 5.19; Average
enroll time: 0.20; Average match time: 0.20.
Participant: CEFET-PR/Antheus Technologia LTDA., Brazil; Type:
Academic; Average EER: 6.32; Average enroll time: 0.95; Average
match time: 1.06.
Participant: Centre for Wavelets, Approximation, and Information
Processing, Department of Mathematics, National University of
Singapore, Singapore; Type: Academic; Average EER: 7.08; Average
enroll time: 0.27; Average match time: 0.35.
Participant: Kent Ridge Digital Labs, Singapore; Type: Academic;
Average EER: 10.94; Average enroll time: 1.08; Average match time:
1.58.
Participant: University of Twente, Electrical Engineering,
Netherlands; Type: Academic; Average EER: 15.24; Average
enroll time: 10.42; Average match time: 2.67.
Participant: FingerPin AG, Switzerland; Type: Company; Average EER:
15.94; Average enroll time: 1.22; Average match time: 1.27.
Participant: Inha University, Korea; Type: Academic; Average EER:
19.33; Average enroll time: 0.71; Average match time: 0.76.
Participant: Ditto Information & Technology Inc., Korea; Type: Company;
Average EER: 20.97; Average enroll time: 1.24; Average match time:
1.32.
Participant: Natural Sciences and Mathematics, Institute of
Informatics, Macedonia; Type: Academic; Average EER: 47.84; Average
enroll time: 1.44; Average match time: 1.71.
Note: Time is in seconds.
Source: FVC 2000.
[End of table]
Fingerprint Verification Competition 2002:
Researchers from University of Bologna, Italy; San Jose State
University, California; and Michigan State University, East Lansing;
jointly conducted Fingerprint Verification Competition 2002 (FVC 2002),
a large-scale evaluation of fingerprint recognition technology that was
a follow-up to FVC 2000. There were 31 participants--21 from companies,
6 from academic institutions, and 4 others. As in FVC 2000, three
databases were acquired in a laboratory environment, using both optical
and silicon sensors, and a fourth contained synthetically generated
images.
Enrollment time averages ranged from 0.11 to 7.05 seconds, 24 of the
participants requiring no more than 1 second. Matching time averages
ranged from 0.18 to 5.01 seconds, 21 of the participants requiring no
more than 1 second. The most accurate algorithm had an average EER of
0.19 percent, while the least accurate algorithm had an average EER of
50 percent. Table 22 depicts these data.
Table 22: Summary of Results from the Fingerprint Verification
Competition 2002:
Participant: Bioscrypt Inc., United States (Algorithm 1); Type:
Industrial; Average EER: 0.19%; Average enroll time: 0.11; Average
match time: 1.97.
Participant: Anonymous; Type: Industrial; Average EER: 0.33; Average
enroll time: 2.12; Average match time: 1.98.
Participant: Anonymous; Type: Industrial; Average EER: 0.41; Average
enroll time: 1.23; Average match time: 1.13.
Participant: Bioscrypt Inc., United States (Algorithm 2); Type:
Industrial; Average EER: 0.77; Average enroll time: 0.07; Average
match time: 0.22.
Participant: Siemens AG, Germany; Type: Industrial; Average EER: 0.92;
Average enroll time: 0.48; Average match time: 0.52.
Participant: Neurotechnologija Ltd., Lithuania; Type: Industrial;
Average EER: 0.99; Average enroll time: 0.56; Average match time:
0.56.
Participant: SAGEM, France (Algorithm 1); Type: Industrial; Average
EER: 1.18; Average enroll time: 4.05; Average match time: 1.65.
Participant: Andrey Nikiforov (Independent Developer), United States;
Type: Other; Average EER: 1.31; Average enroll time: 0.81; Average
match time: 1.23.
Participant: SAGEM, France (Algorithm 2); Type: Industrial; Average
EER: 1.42; Average enroll time: 0.77; Average match time: 0.66.
Participant: Deng Guoqiang (Independent Developer), China; Type: Other;
Average EER: 2.18; Average enroll time: 0.17; Average match time: 0.48.
Participant: IDENCOM AG, Switzerland; Type: Industrial; Average EER:
2.22; Average enroll time: 0.52; Average match time: 0.62.
Participant: Suprema Inc., Korea; Type: Industrial; Average EER: 2.50;
Average enroll time: 0.54; Average match time: 0.63.
Participant: Anonymous; Type: Industrial; Average EER: 3.31; Average
enroll time: 0.53; Average match time: 0.65.
Participant: Biometrics System Lab, Beijing University of Posts and
Telecommunications, China; Type: Academic; Average EER: 3.76; Average
enroll time: 0.57; Average match time: 0.59.
Participant: Anonymous; Type: Industrial; Average EER: 4.19; Average
enroll time: 0.18; Average match time: 0.18.
Participant: HZMS Biometrics Co. Ltd., China; Type: Other; Average EER:
4.24; Average enroll time: 0.65; Average match time: 0.66.
Participant: ActivCard Canada, Canada; Type: Industrial; Average EER:
5.21; Average enroll time: 0.68; Average match time: 1.76.
Participant: Antheus Tecnologia Ltda, Brazil; Type: Industrial; Average
EER: 5.46; Average enroll time: 0.20; Average match time: 0.54.
Participant: TeKey Research Group, Israel; Type: Industrial; Average
EER: 5.72; Average enroll time: 0.01; Average match time: 3.15.
Participant: FINGERPIN AG, Switzerland; Type: Industrial; Average EER:
6.05; Average enroll time: 0.48; Average match time: 0.77.
Participant: Inha University, Korea; Type: Academic; Average EER: 6.07;
Average enroll time: 0.80; Average match time: 0.84.
Participant: Aldebaran Systems, United States; Type: Industrial;
Average EER: 6.16; Average enroll time: 1.81; Average match time: 1.81.
Participant: Digital Fingerpass Corporation, China; Type: Industrial;
Average EER: 6.40; Average enroll time: 0.49; Average match time: 0.50.
Participant: DATAMICRO Co. Ltd., Russia; Type: Industrial; Average EER:
6.72; Average enroll time: 0.33; Average match time: 0.56.
Participant: Anonymous; Type: Industrial; Average EER: 7.12; Average
enroll time: 0.24; Average match time: 0.28.
Participant: Department of Computer Science and Information
Engineering, Da-Yeh University, Taiwan; Type: Academic; Average EER:
9.04; Average enroll time: 0.13; Average match time: 0.15.
Participant: Anonymous; Type: Industrial; Average EER: 12.09; Average
enroll time: 0.68; Average match time: 0.70.
Participant: AILab, Institute of Automation, The Chinese Academy of
Sciences, China; Type: Academic; Average EER: 14.66; Average
enroll time: 0.57; Average match time: 0.65.
Participant: University of Tehran, Electrical and Computer Department,
Iran; Type: Academic; Average EER: 16.79; Average
enroll time: 1.16; Average match time: 1.19.
Participant: Anonymous; Type: Other; Average EER: 39.10; Average
enroll time: 0.52; Average match time: 0.63.
Participant: Anonymous; Type: Academic; Average EER: 50.00; Average
enroll time: 7.05; Average match time: 5.01.
Note: Time is in seconds.
Source: FVC 2002.
[End of table]
Biometric Product Testing:
NPL conducted a performance evaluation of seven different biometric
systems from May to December 2000. The fingerprint part of the test
included two types of systems, one based on optical technology and the
other on silicon technology. The vendor of the silicon sensor was
VeriTouch Ltd., with alternative enrollment and matching algorithms
provided by Infineon Technologies AG. The vendor of the optical sensor
was not identified.
The silicon system’s FTER was 1.0 percent, the optical system’s 2.0
percent. FMR and FNMR measure the accuracy of the matching process.
Adjusting the decision criteria can make for a trade-off between false
match and false nonmatch errors. At an FMR of about 2 percent, the FNMR
was about 4.3 percent for the silicon sensor with the alternative
algorithm. Additional experimental results are summarized below:
* The silicon sensor system had a mean transaction time of 19 seconds,
a median of 15 seconds, and a minimum of 9 seconds. The optical
fingerprint system had a mean transaction time of 9 seconds, a median
of 8 seconds, and a minimum of 2 seconds.
* The silicon sensor system could make 60 matches per minute, the
alternative algorithm 2,500 matches per minute. The optical system
could make only 50 matches per minute. These diagnostic programs had
significant overheads, so the matching algorithm may be significantly
faster than the results showed, perhaps by a factor exceeding 100.
* For both the silicon sensor and the optical system, younger people
generally had a lower FNMR than older people, and the FNMR for attempts
made immediately following enrollment were lower than those made on
second or third visits.
Republic of the Philippines Social Security System:
Identification Card Benchmark Test:
In May 1997, the U.S. National Biometric Test Center at San Jose State
University conducted an automated fingerprint identification system
(AFIS) benchmark test for the Republic of the Philippines Social
Security System Identification Card Project. The test measured single
comparison FMRs and FNMRs (among other metrics) for each of the four
participating international AFIS vendors. The FMR and FNMR for each
vendor were determined by matching 4,128 test images against a database
of 4,080 fingerprints. Flat prints of the thumb through the ring finger
of each hand were collected from adult employee volunteers in the
Social Security System. One vendor returned 16 million cross
comparisons with only one false match, indicating a 95 percent
statistical confidence in an FMR of fewer than 3 in 10 million prints
but with an FNMR approaching 20 percent. Statistical analysis of the
test results supports the feasibility of an AFIS system that could
support 16 million flat fingerprint comparisons without a false match.
INS’s IDENT Benchmark Test:
In June 1998, an independent verification and validation test was
conducted on the Cogent PMA3 Matcher configuration that was later
installed for IDENT. This benchmark test used a fingerprint test
database created by INS and provided to Cogent Systems Inc. that
consisted of 129,712 rolled fingerprints, 951,956 flat fingerprints,
and six different search fingerprint image input files. The data were
highly representative of IDENT criminal alien records at the time. As
about half of the search subjects in the input files had mates in the
rolled or flat fingerprint database, the benchmark data were designed
to obtain results with a high confidence level.
All four types of searches (flat-flat, roll-flat, flat-roll, and roll-
roll) in operation in IDENT were tested during the benchmark. Two
verification match tests (flat-flat and flat-roll) were also conducted.
The results are displayed in table 23.
Table 23: INSís IDENT Fingerprint Benchmark Test Results, 1998:
Match test: Flat to flat; Match test: 0.4%; Identification: FMR: 5.4%;
[Empty]; Verification: FNMR: 0; Verification: FMR: 0.1%.
Match test: Roll to flat; Match test: 8.4; Identification: FMR: 1.5;
[Empty]; Verification: FNMR: a; Verification: FMR: a.
Match test: Flat to roll; Match test: 7.3; Identification: FMR: 0.2;
[Empty]; Verification: FNMR: 1.6%; Verification: FMR: 0.1.
Match test: Roll to roll; Match test: 0.2; Identification: FMR: 0.1;
[Empty]; Verification: FNMR: a; Verification: FMR: a.
[A] Data not available.
Source: GAO analysis of INS data.
[End of table]
The results of the flat-to-flat and roll-to-roll search test were more
accurate than those of the mixed media tests--roll-to-flat and flat-to-
roll--because the mixed media searches resulted in a higher FNMR. The
results of the verification match test supported the use of the
algorithm for future INS verification applications.
Border Control Applications Piloted and Deployed:
CANPASS-Airport:
The CANPASS-Airport pilot at Vancouver International Airport was
initiated in October 1995 using both fingerprint recognition and hand
geometry technologies. The pilot used identity cards and biometric
identification devices to allow previously screened travelers to bypass
customs and immigration lines. Qualified Canadian and U.S. residents
entered Canada through a special line by opening an automated gate with
an encoded identification card and providing a fingerprint or hand
geometry biometric for one-to-one authentication. Roughly a thousand
travelers registered with CANPASS in the pilot’s first 7 months, with
an average enrollment time of 15 minutes. Of 1,385 authentication
attempts, 87 percent were successful and 13 percent were falsely
rejected by the technology and had to be processed manually. On the
basis of these results, authorities decided to use solely hand geometry
for CANPASS-Airport.
Border Biometric Program and Border Crossing Card:
The biometric border crossing card project is a joint effort of the
Department of State and INS to replace the paper-based card previously
issued to Mexican citizens. The new card is a laser visa, a credit-
card-like document, that permits the holder to enter the United States
without being issued further documentation for business or pleasure and
to stay for 72 hours or less, going no farther than 25 miles from the
border. With additional documentation, the laser visa can permit longer
stays and travel farther than 25 miles from the border. The laser visas
are manufactured by LaserCard Systems Corp. and are made of
polycarbonate material with a rectangular strip of optical memory for
data storage. The cards store a frontal facial image and the templates
of two index flat fingerprints. More than 5 million cards have been
issued, but the performance of the fingerprint recognition technology
has not been measured, because ports of entry have no scanners for
reading travelers’ fingerprints and matching them with the information
on the laser visa. INS is buying and installing 30 readers at six ports
of entry for a pilot test.
Hong Kong Resident Smart Cards:
About 250,000 people cross the Hong Kong-Shenzhen border daily, causing
long lines at the immigration checkpoint. The Hong Kong government
plans to issue new identity smart cards to residents in 2003. The smart
cards will hold a template of a rolled fingerprint to be matched
against the bearer at a self-service kiosk. The $21 million smart card
contract was awarded in March 2002, and distribution to the 6.8 million
Hong Kong residents will be phased in over 4 years.
Processing Issues:
The size of an identification system’s projected database has a
significant effect on the system’s configuration and cost. The larger
the database, the more storage devices are required. In addition, it
takes longer to search a larger database unless matching processor
power is also increased. Database size can also affect a system’s
accuracy. Some matching algorithms are effective only with relatively
small databases and are simply not capable of accurate matching against
the larger numbers of records found in forensic automated fingerprint
identification systems.
Device Durability and Environmental Constraints:
Capturing fingerprints has been a significant issue in border control
pilots. In an unattended environment, trained users have generally
skewed fingers or have not pressed hard enough on the platen. The
difficulty of acquiring a usable fingerprint after three attempts has
resulted in approximately a 50 percent rejection rate. In addition,
fingerprint readers do not operate below freezing temperature, so the
issues of freezing and condensation are significant in selecting
biometric systems.
[End of section]
Appendix III Hand Geometry Technology:
Patents for hand geometry technology were first issued in the late
1960s and early 1970s. The technology is based on the premise that the
hand’s bone structure, while changing over time, remains
characteristically the same. The hand’s shape usually stabilizes at age
13 or 14.
How the Technology Works:
Hand geometry technology uses the hand’s distinctive features,
particularly the height and width of its back and fingers, to verify a
person’s identity. In measuring size and shape, a hand geometry system
collects more than 90 dimensional measurements, including finger width,
height, and length; distances between joints; and knuckle shapes.
Although the shape and size of our hands are reasonably diverse, they
are not necessarily unique. In larger populations, for example, it is
almost certain that various people have very similar hand dimensions.
Consequently, the technology cannot be used for 1:N identification.
In the measurement of the different features, a person places his or
her hand flat on the device’s metal surface, where pegs guide the
fingers into position. Hand geometry systems require a person to
squeeze his or her fingers against the pegs to prevent spoofing.
Cameras capture two orthogonal two-dimensional images of the back and
sides of the hand (see figure 32).
Figure 32: Fingers Guided by Pegs in a Biometric Hand Geometry
Measurement:
Source: Michigan State University, Biometrics Research Group.
[See PDF for image]
[End of figure]
Only the spatial geometry is acquired; prints of the palm and fingers
are not taken. The derived template is 9 bytes in size, the smallest in
the biometric industry. In a process known as template averaging, the
template is automatically updated whenever the difference between the
individual’s hand and his or her reference template exceeds a
designated threshold.
The Leading Vendors:
Recognition Systems Inc. (RSI) dominates the market in hand geometry
technology. Its systems are used in nearly every current
implementation. Companies that integrate hand geometry technologies
include Electronic Data Systems Corp. and ADT. However, Dermalog, a
German company, is developing an alternative technology that uses a
pegless device. Biomet Partners, a Swiss company, sells a finger
geometry device that operates on the same basic principles as the RSI
hand geometry devices.
The Cost of Devices:
Hand geometry devices generally cost between $2,000 and $4,000.
Training is minimal, and no personnel costs are incurred because most
hand geometry devices are typically unattended.
Performance Issues:
Hand geometry disregards fingernails and surface details such as
fingerprints, lines, scars, and dirt. Except for jewelry, arthritis,
water retention, and swelling from pregnancy or hand injury, the hand
is not susceptible to major changes that would affect the technology’s
accuracy. However, because measurements of the hand are not distinct
over a large population, false matches can occur. Therefore, hand
geometry is not effective in large-scale1:N applications or in
applications where resistance to impostors is essential.
User Acceptance:
Hand geometry is generally perceived as nonintrusive, nonthreatening,
and noninvasive, and it bears very little of the stigma of other
biometric technologies. It lacks the forensic association that may
affect users’ perceptions of fingerprint recognition systems. It is
considered easy to use, although a minimal amount of training may be
required to learn how to align the hands in the device. However, some
people are uncomfortable touching a device that many people have
previously touched.
The Technology’s Maturity:
Operational Uses:
Hand geometry is an established, mature, and reliable technology that
has remained unchanged for several years. Hand geometry systems have
been deployed since the 1980s in tens of thousands of locations for
access and entry control, personal identification, and time and
attendance applications. For example, hand geometry is the most
commonly deployed biometric technology for controlling physical access
and for processing time and attendance records. Devices used for time
and attendance applications are often tied into physical access control
systems. Hand geometry devices have been installed at the entrances to
more than half the nuclear power plants in the United States. In 1991,
San Francisco International Airport installed hand geometry devices to
protect secure areas such as the tarmac and loading gates. At the 1996
Olympic Games in Atlanta, Georgia, athletes used a hand geometry system
to gain access to Olympic Village.
Tests:
FAA Hand Geometry Testing:
In 2001, FAA and the National Safe Skies Alliance evaluated the
effectiveness of hand geometry technology for the use of access control
of airport employees. Following the test, the biometric system was
removed. Of the 39 people who successfully enrolled, 27 enrolled in an
average of 57 seconds. The hand geometry system had varying security-
level settings, resulting in differing performance rates at
verification. The FNMR ranged from approximately 5 percent at a high
security-level setting to less than 1 percent at a low security-level
setting. The FMR ranged from approximately 0 percent at the high
security-level setting to about 2 percent at the low security-level
setting. Before the biometric technology was installed, passing through
the door was estimated at 2 seconds; after installation, the time
increased to 8 seconds.
The results of testing under abnormal conditions are summarized below:
* At the default security level setting, adding or removing rings
similar to the wide-band ring used in this test would very likely cause
users to be rejected at a high rate. Smaller rings do not appear to
cause a higher FNMR.
* Wearing gauze pads or splints to cover injuries would also probably
cause a higher rejection rate. Standard adhesive bandages three-quarter
inches wide do not appear to cause higher FNMRs.
* High backlight conditions did not noticeably affect FNMR.
Biometric Product Testing:
From May to December 2000, NPL evaluated seven different biometric
technologies in a real-world environment for positive verification
comparative testing. The hand geometry portion of the test used RSI’s
Hand Key II, which had the fastest transaction time of the biometric
technologies compared. With 200 people enrolled, the FTER was 0
percent. At an FMR of about 1 percent, the hand geometry system had an
FNMR of approximately 1.4 percent. Additional experimental results
were:
* The Hand Key II had a mean transaction time of 10 seconds, a median
of 8 seconds, and a minimum of 4 seconds.
* The matching algorithm could make 80,000 matches per minute when
using a SunUltra5 with a SunOS5.8 operating system, 270 MHz processor,
and 128 MB of memory.
* Males had a somewhat lower FNMR than females.
Sandia National Laboratories:
In 1991, Sandia National Laboratories evaluated five biometric
technologies, with nearly a hundred volunteers testing each technology.
Nearly 20,000 transactions were recorded for RSI’s ID-3D hand geometry
devices. Overall, the hand geometry technology was the fastest, most
accurate, and most user-friendly device. Average verification time was
5 seconds, and the EER was about 0.2 percent. At the test threshold
value, the three-try FNMR was less than 0.1 percent, and the one-try
FMR was 0.1 percent.
Sandia National Laboratories performed a field analysis with hand
geometry for physical building access control from 1993 to 1995. RSI’s
model ID-3D HandKey biometric verifier was tested. Overall, 316 people
used the device in more than 100,000 instances. Sandia concluded that
the device operated differently in an exterior, unattended field
installation than in previous laboratory experiments: 7.20 percent of
the individuals failed in the first verification attempt, 53.48 percent
in the second, and 66.49 percent in the third. These percentages are
not equivalent to FNMRs, since not enough information was available to
determine whether users who were rejected should have been accepted.
They may have been correctly rejected because they may not have been
who they claimed to be. Researchers also found that maintenance and
cleaning were paramount; when the readers were not cleaned properly,
performance was severely degraded.
Border Control Applications Piloted and Deployed:
INSPASS:
Hand geometry is being used in many border control environments. The
INS Passenger Accelerated Service System (INSPASS), installed at seven
U.S. and two Canadian airports, uses 29 hand geometry kiosks to reduce
inspection time to less than 15 seconds for trusted travelers (see
figure 33). INSPASS enrollment is open to all citizens of the United
States, Canada, Bermuda, and visa waiver countries. To enroll,
travelers must provide a passport or travel document and two
fingerprints and present their hand geometry biometric.
Figure 33: A Traveler Using an INSPASS Hand Geometry Device:
Source: IR--Recognition Systems.
[See PDF for image]
[End of figure]
Ben Gurion Airport:
Since 1998, Ben Gurion Airport in Tel Aviv, Israel, has installed 21
hand geometry kiosks and enrolled more than 100,000 passengers. The
implementation was initially offered only to frequent international
travelers, but passenger demand led to its expansion to all Israeli
citizens. Each month, more than 50,000 travelers use the automated
passenger screening system to reduce the immigration process to about
15 seconds. When using the system, a traveler swipes a magnetic stripe
card over a biometric reader (see figure 34). More than 2 million
inspections have been performed, and they are growing at 2 percent a
month. In addition to biometric authentication, the system checks the
biometric against Israeli law enforcement and immigration databases.
Figure 34: A Traveler Using Ben Gurion Airport’s Biometric Hand
Geometry System:
Source: IR--Recognition Systems.
[See PDF for image]
[End of figure]
Basel Project:
Headed by Electronic Data Systems, the Basel Project will implement a
system using facial recognition and hand geometry for day workers
crossing into and out of Israel from the Gaza Strip. Fingerprint
technology was rejected because the primary users are laborers whose
fingerprints are not reliable for biometric matching. People will
enroll at the Israel-Palestine land border, receiving a contactless
smart card with a high-resolution picture and a hand geometry
biometric. When entering or leaving Israel, they will be processed
through 42 routing passages to unattended checkpoints at verification
terminals inside a building. It is estimated that 60,000 verifications
will be processed daily in one-to-one matches against stored templates
in a central server, with a backup stored on the smart card.
Port of Rotterdam:
In June 1999, the Port of Rotterdam, Europe’s busiest container port,
implemented a hand geometry system designed to speed cargo movement.
Each truck driver’s identity is verified with the biometric template
stored on a radio frequency smart card, accessed through the truck’s
window. It has more than 6,000 users and has logged more than 3 million
transactions.
CANPASS-Airport:
The CANPASS-Airport pilot at Vancouver International Airport was
initiated in October 1995 using both fingerprint recognition and hand
geometry technologies. The pilot used identity cards and biometric
identification devices to allow previously screened travelers to bypass
customs and immigration lines. Qualified Canadian and U.S. residents
entered Canada through a special line by opening an automated gate with
an encoded identification card and providing a fingerprint or hand
geometry biometric for one-to-one authentication. The system’s use was
discontinued on September 11, 2001.
Device Durability and Environmental Constraints:
Hand geometry is well suited for most environments. The equipment is
durable and can withstand most workload demands. Various types of hand
geometry devices on the market are suitable for all types of climates
(see figures 35 and 36). Most can withstand temperatures ranging from -
45 degrees to 120 degrees Fahrenheit and can provide protection against
snow, sleet, rain, splashing water, hose-directed water, falling dirt,
and wind-blown dust.
Figure 35: A Typical Hand Geometry Recognition Device:
Source: IR--Recognition Systems.
[See PDF for image]
[End of figure]
Figure 36: A Hand Geometry Recognition Device That Is Enclosed:
Source: IR--Recognition Systems.
[See PDF for image]
[End of figure]
[End of section]
Appendix IV: Facial Recognition Technology:
Every day, people identify other people by their faces. Much research
has yielded evidence that people may recognize others’ faces through a
unique process that highlights the importance of the location and shape
of eyes, nose, and eyebrows and face shape, chin, lips, and mouth, in
decreasing order. Because this process differs from how we recognize
other objects, the idea that machine recognition systems should also be
face-specific may have been encouraged. However, just as some people
may have difficulty differentiating between identical twins and other
people with similar features, facial recognition technology also cannot
effectively distinguish between people who resemble one another, and it
still requires development to full maturity. Nevertheless, active
research over the past 10 years has made the technology commercially
available.
How the Technology Works:
Facial recognition identifies people by the sections of the face that
are less susceptible to alteration--the upper outlines of the eye
sockets, the areas around the cheekbones, the sides of the mouth.
Systems using this technology capture facial images from video cameras
and generate templates for comparing a live facial scan to a stored
template. Facial recognition technology can also be used to compare
static images, such as digitized passport photographs.
The comparisons are used in verifying and identifying individuals.
Verification systems compare a person’s facial scan to a stored
template for that person and can be used for access control. In an
identification system, a person’s facial scan is compared to a database
of multiple stored templates. This makes an identification system more
suitable for surveillance in conjunction with closed-circuit television
(CCTV) to spot suspected criminals whose facial characteristics have
been captured and stored in a database on a template. The face is the
only biometric used in a viable recognition technology that is able to
operate without a user’s cooperation, since a CCTV camera need only
capture a picture for the technology to generate a template. However,
the technology is much more able to identify people who are motivated
to use the system correctly than those who are uncooperative and can
avoid recognition by, for example, using disguises or taking other
evasive measures.
The primary facial recognition technologies are used for one-to-one as
well as one-to-many matching. Whether used for verification or
identification, the stored image templates must be kept up to date,
since appearances naturally alter with age.
However, IBG’s testing has found that the core technology is highly
susceptible to falsely nonmatching users in one-to-one verifications
and to failing to identify enrolled users in one-to-many
identifications.
Two primary types of facial recognition technology are used to create
templates.[Footnote 44] Requiring as many as 1,300 bytes, or as few as
84 bytes, they are local feature analysis (LFA) and the eigenface
method.
Local Feature Analysis:
Patented by Visionics Corp.--now Identix Incorporated--LFA uses dozens
of images from regions of the face, resulting in feature-specific
fields--eyes, nose, mouth, cheeks. The fields’ relative locations are
incorporated so that the face can be represented as a topographical
grid made up of blocks of features. The features represented by these
blocks and their positions are used to identify or verify the face (see
figure 37).
Figure 37: Local Feature Analysis: A Topographical Grid of Facial
Regions:
Source: Identix Incorporated.
[See PDF for image]
[End of figure]
Just as Washington, D.C., can be identified by describing its
landmarks’ locations and their relative positions (e.g., the National
Mall has the U.S. Capitol building to its east, the Lincoln Memorial to
its west, and the Washington Monument and Smithsonian museums at its
center), a person’s face can be identified by the features defined by
LFA. Small shifts in a feature may cause a related shift in an adjacent
feature and the technology can accommodate these changes in appearance
or expression (such as smiling or frowning). Since LFA does not provide
a global representation of the face, it is rendered ineffective when a
person tilts his or her head from a direct frontal pose to more than
about 25 degrees horizontally or more than about 15 degrees vertically.
The Eigenface Method:
Eigenface, meaning roughly “one’s own face,” is a technology patented
at the Massachusetts Institute of Technology. Unlike LFA, the eigenface
method always looks at the face as a whole. A collection of facial
images is used to generate a set of two-dimensional, gray-scale images
(eigenfaces) to produce the biometric template (see figure 38). The
vast majority of faces can be represented by locating distinctive
features from approximately 100 to 125 eigenfaces. When a live image of
a person’s face is introduced, the system represents the image as a
combination of templates. This combination is compared with a set of
stored templates in the system’s database, and the degree of variance
determines whether or not a face is recognized.
Figure 38: Two-Dimensional, Gray-Scale Images of an Eigenface Template:
Source: Baback Moghaddam, MIT Media Laboratory.
[See PDF for image]
[End of figure]
Modifications of the algorithms used in LFA and the eigenface method
can lead to variances that incorporate:
* Neural network mapping: Comparisons of a live facial image with a
stored template are based on unique global features rather than
individual features. When a false match is made, the comparison
algorithm modifies the weight given to certain features, such as
shadows.
* Automatic face processing: Facial images are captured and analyzed
from the distances and distance ratios between features, such as
between the eyes.
The Leading Vendors:
The leading algorithms are licensed by Identix Inc. (which merged with
Visionics in June 2002) and Viisage Technology. Identix uses local
feature analysis; Viisage’s algorithm is based on the eigenface method.
The Cost of Devices:
A facial recognition server controlling access at a facility with up to
30,000 persons would cost about $15,000. Depending on the number of
entrances with installed facial recognition technology, the cost of the
software licenses would range from about $650 to $4,500. As the size of
the database and the number of attempted matches increased, so would a
system’s cost.
In addition to the server and software licenses, a live-scan facial
recognition surveillance system includes CCTV surveillance (see figure
39). A fully integrated CCTV system for physical access surveillance
can cost from $10,000 to $200,000, depending on the size of the
entrance and the degree of monitoring required. For additional CCTV
equipment, cameras can cost between $125 and $500. Cameras with
advanced features can cost up to $2,300.
Figure 39: CCTV Surveillance Equipment:
Source: Pelco.
[See PDF for image]
[End of figure]
Performance Issues:
The effectiveness of facial recognition technology is influenced
heavily by environmental factors, especially lighting conditions.
Variations in camera performance and facial position, expression, and
features (hairstyle, eyeglasses, beards) further affect performance.
Accurate image alignment is necessary for the leading facial
recognition algorithms, which rely on identifying eye positions. As a
result, current facial recognition technology is most effective when
used in consistent lighting with cooperative subjects in a mug-shot-
like position--where hats and sunglasses are removed and everyone looks
directly at the camera one at a time.
Attempts to spoof live-scan facial recognition systems have been
successful. In one test, trial images were obtained by downloading
unprotected reference facial images to a computer and by taking digital
pictures of an enrolled person. These images were displayed on a
notebook computer monitor and were successfully matched, granting
testers access to the system. A video of an enrolled person moving his
head slightly left and right also fooled the system.
User Acceptance:
When used in a verification system for access control, facial
recognition technology is typically considered by users to be less
intrusive than fingerprint readers, iris scanners, and other biometric
technologies. It can recognize people at a distance and does not
require users to pause and interact with the equipment. However, some
users are concerned that when used as a surveillance tool, facial
recognition technology can facilitate tracking them without their
consent. To address such concerns, specific policies for using facial
recognition in a surveillance application have been suggested,
including the following.
Transparency:
As with any technology, public understanding of the operation and uses
of electronic surveillance might mitigate fears that the government may
be tracking people’s whereabouts. Signs indicating the use of facial
recognition in surveillance systems should be prominently displayed,
and the government entity using facial recognition for surveillance
should provide as much information as possible to the public about the
technology’s purposes and capabilities.
No Match, No Memory:
Concerns have been raised about the possibility that facial recognition
surveillance systems can identify law-abiding citizens, not only
terrorists or violent criminals. A “no match, no memory” policy
dictates that a person’s image is saved only if a match is made to a
record in a watch list database.
Data Retention:
One issue that could arise is the government’s handling of the data it
collects. Even if a no match, no memory policy has been implemented, a
retention policy should be followed that indicates the time period
after which the data will be erased. Similarly, the data should be
securely stored and maintained.
Oversight:
Concern about how facial technology surveillance will be used is often
related to fear that the technology’s capabilities will be abused.
Facial recognition systems must be used only for the purpose they were
designed for, and some form of active oversight should be implemented.
A cooperative effort between government officials and citizen oversight
committees would provide accountability.
The Technology’s Maturity:
Operational Uses:
The largest implementation of Identix’s facial recognition technology
is the Mexican Federal Electoral Institute’s program to eliminate
duplicate voter registrations. This system helps the Institute prevent
citizens from voting more than once under different aliases. Facial
recognition is used to compare people with matching names to determine
whether the faces also match. The system’s database, first used in
Mexico’s July 2000 presidential elections, contains about 60 million
images.
The largest deployment of facial recognition for surveillance began in
1998 in Newham Borough, London, England, when Identix’s facial
recognition technology was introduced to 12 town center cameras to
record activity and decrease street robbery in an unsafe neighborhood.
With three hundred CCTV cameras, this system captures faces and
compares them against a police database of about a hundred convicted
street robbers known to have been active in the previous 12 weeks. When
a face does not match, the image is deleted; when a match is found, an
operator checks the result. In August 2001, 527,000 separate faces were
detected and operators confirmed 90 matches against the database.
Public approval of Newham’s system was judged by comparing the results
of opinion polls over the course of the implementation. When Identix’s
facial recognition technology was first introduced, 50 percent of local
citizens approved of the system. After about 2 years of operation, the
technology was credited with a 34 percent reduction in street robbery,
and the user approval rating rose to 90 percent. As the system has not
led directly to any arrests, the effect of facial recognition
technology appears to function largely as a deterrent to street crime
in the monitored area.
In the United States, Viisage’s facial recognition technology is
deployed in 17 states to identify people with credentials or
identification documents under more than one name. The majority of the
states’ databases consist of image templates from driver’s license
photographs. Illinois’s driver’s license database consists of about 10
million images and has the capacity for another 15 million images. The
technology can perform a one-to-many match against this database in
less than 15 seconds, and about 15,000 images are captured daily.
Facial recognition surveillance systems have been deployed in casinos
worldwide, performing one-to-many matching against a database of casino
offenders. Although the notable facial recognition implementations are
in surveillance applications, facial recognition systems have been
deployed in selected environments as a one-to-one verification solution
for physical and logical access. Some casinos use facial recognition
for employee time and attendance processing, while applications for
automated teller machine fraud prevention and security have been
implemented in grocery stores and gas stations.
Pilots: U.S. Airport
Surveillance:
Identix has been involved in four pilots that use facial recognition
for surveillance at U.S. airports. The pilots had different operating
scenarios to determine the relationship between the correct match rate-
-that is, the rate of actual matches--and the FNMR. Video cameras that
were not hidden from travelers were set up near the airport metal
detectors. The pilots were designed at some airports so that travelers
were specifically instructed to stop and look at the cameras; travelers
at other airports were not given such instructions.
From the four pilots, Identix concluded that lighting was the primary
performance factor. It learned also that the correct match rate, and
therefore the FMR, is quickly compromised as the threshold is adjusted
to minimize the FNMR. The data are shown in table 24.
Table 24: Identix Airport Facial Biometric Pilot Results:
Airport: Boston Logan International, Mass.; Status: Completed; False
match rate: Not reported; False
nonmatch rate: ~10%; Notes: Viisage technology was also piloted.
Airport: Dallas/Fort Worth International, Texas; Status: Completed;
False match rate: 1.2%; False nonmatch rate: 6-15; Notes: Two cameras
were used; when a match was made, the person’s image was dispatched to
a
central control room for further investigation.
Airport: Fresno Yosemite International, Calif.; Status: Ongoing; False
match rate: 1-5; False nonmatch rate: 5-15; Notes: A liquid crystal
display instructed each traveler when to pause in front of a fixed
camera
and when to resume walking.
Airport: Palm Beach International, Fla.; Status: Completed; False
match rate: 0.3; False nonmatch rate: 45; Notes: The objective was to
obtain an FMR as close to 0 as possible.
Source: GAO analysis of Identix data.
[End of table]
Facial Recognition Vendor Test 2000:
From May to June 2000, Naval Surface Warfare Center, Crane Division,
evaluated an identification system in the Facial Recognition Vendor
Test 2000 (FRVT 2000). The two test categories conducted during the
evaluation used the Face Recognition Technology (FERET) Database, which
DOD’s Counterdrug Technology Development Program Office sponsors. The
evaluation report was issued on February 16, 2001.
The first category, the recognition performance test, evaluated all
algorithms on a standardized database collected by a universal sensor.
Participating vendors were given 72 continuous hours in which to
compare 13,872 images to one another, amounting to more than 192
million comparisons. Three vendors completed this portion: Identix,
Viisage, and C-VIS Computer Vision and Automation GmbH. Banque
Technology Systems International Ltd. (Banque-Tec) and Miros Inc.
(E-True Technology), two other vendors, were able to compare only
approximately 4,000 of the 13,872 images in the allotted time, and
their results were not included.
Following this test, different environmental studies were conducted to
show how the system responded to numerous variables such as distance,
lighting, and facial expressions. We describe a sample of the results
from a number of environmental studies, noting the overall lack of
appreciable difference between the match accuracy of the Viisage and
Identix algorithms. For the identification experiments, the charts we
present show the probability that a vendor’s top match correctly
identified individuals. For the verification experiments, the results
show the probability of correct verification while holding the FMR
constant at 0.01. Each probe image was taken with a camera and matched
by the vendor’s system to the gallery images, which were drawn from
FERET and other large databases.
Distance Experiments:
The distance experiments were designed to evaluate the performance of
face-matching algorithms on images of subjects at different distances
from the fixed camera. For the distance experiments, the probe images
were taken at varying distances and compared, using the vendor’s
system, to gallery images that were taken at a distance of between 1.5
and 2 meters (see figures 40 and 41).
Figure 40: Facial Recognition Distance Identification:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Figure 41: Facial Recognition Distance Verification:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Across all algorithms, the three sets of distance experiments indicated
that performance decreases as the distance between the person and
camera increases. At a distance of 5 meters, Viisage, the best vendor
in this category, could correctly identify the image only about 13.7
percent of the time.
Expression Experiments:
The expression tests evaluated how well identification and verification
work when comparing images of the same person with different facial
expressions. In this test, the gallery image was a face with a specific
expression, and the probe image was the same face with an alternative
expression. Identification proved more sensitive to change in
expression than verification. Viisage and Identix correctly identified
and verified more than 80 percent of the images (see figures 42 and
43).
Figure 42: Facial Recognition Expression Identification:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Figure 43: Facial Recognition Expression Verification:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Media Experiments:
The media experiments were designed to evaluate the performance of
face-matching algorithms when comparing images stored on different
media. This application may be useful in comparing older mug shots to
newer pictures taken with digital cameras. For Viisage and Identix,
switching between 35 mm gallery images and digital probe images, and
vice versa, did not significantly affect performance (see figures 44
and 45).
Figure 44: Facial Recognition Media Identification: Digital to 35 mm:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Figure 45: Facial Recognition Media Verification: Digital to 35 mm:
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Pose Experiments:
The pose experiments measured the effect of different viewpoints on
identification. They attempted to match a frontal gallery image with
probe images that were rotated various degrees away from the front. The
results reflected the best score of all vendors at each degree. As the
degrees from the frontal image increased, the probability of
identification fell rapidly. At 60 degrees away from the frontal image,
identification was correct only 30 percent of the time (see figure 46).
Figure 46: Facial Recognition Pose Identification:
Note: These results reflect the best scores of all vendors at each
degree.
Source: FRVT 2000.
[See PDF for image]
[End of figure]
Temporal Experiments:
Temporal experiments addressed the effect of time delay between a first
and subsequent capture of facial images. The test attempted to match
each probe image with a gallery image of the same person taken
approximately 1 year earlier. These experiments showed that a vendor’s
ability to correctly identify and verify images decreases significantly
with time. After 1 year, Viisage and Identix identified 31 percent and
48 percent of faces, respectively. Viisage correctly verified 41
percent of images, Identix 56 percent (see figures 47 and 48).
Figure 47: Facial Recognition Temporal Identification:
Note: The time period measured was 1 year.
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
Figure 48: Facial Recognition Temporal Verification:
Note: The time period measured was 1 year.
Source: GAO analysis of FRVT 2000 data.
[See PDF for image]
[End of figure]
The second test category, product usability, evaluated the complete
facial recognition system rather than just the facial recognition
algorithm. An access control scenario with live subjects was chosen.
Five vendors reported results, including the three vendors that
completed the recognition performance test and the two that did not.
When discussing the results, however, it is important to note that some
systems tested were not intended for access control applications.
The two product usability tests were the enrollment timed test (ETT)
and the old image database timed test (OIDTT). The tests had two main
differences: (1) the subjects were stationary for the ETT and walked
toward the camera in the OIDTT and (2) all vendors performed
substantially better on the ETT, in which they enrolled the images
under their own systems, than on the OIDTT, in which the images were
provided to them before the test. Also, the facial recognition systems
were quicker and more accurate in the verification experiments than in
the identification experiments. See table 25 for the results.
Table 25: Facial Recognition Product Usability Test:
Vender: [Empty]; Vender: [Empty].
Vender: Banque-Tec; [Empty]; Old image database timed: Percent
verified: 7%; Old image database timed: Percent
identified: 0; [Empty]; Enrollment timed: Percent
verified: 22%; Enrollment timed: Percent identified: 22%.
Vender: C-VIS; [Empty]; Old image database timed: Percent
verified: 0; Old image database timed: Percent
identified: 0; [Empty]; Enrollment timed: Percent
verified: 69; Enrollment timed: Percent identified: 83.
Vender: Identix; [Empty]; Old image database timed: Percent
verified: 64; Old image database timed: Percent
identified: 31%; [Empty]; Enrollment timed: Percent
verified: 78; Enrollment timed: Percent identified: 52.
Vender: Miros (E-True); [Empty]; Old image database timed: Percent
verified: 36; Old image database timed: Percent
identified: 0; [Empty]; Enrollment timed: Percent
verified: 78; Enrollment timed: Percent identified: 71.
Vender: Viisage; [Empty]; Old image database timed: Percent
verified: 0; Old image database timed: Percent
identified: 0; [Empty]; Enrollment timed: Percent
verified: 84; Enrollment timed: Percent identified: 84.
Note: Percentages are correct matches. Matching that took longer than
10 seconds counted as failure.
Source: GAO analysis of FRVT 2000 data.
[End of table]
Facial Recognition Vendor Test 2002:
Facial Recognition Vendor Test 2002 (FRVT 2002), a follow-up to FRVT
2000, does not use the FERET database and is not a live facial
recognition test.[Footnote 45] Since the variables involved with a live
capture do not allow for an equal test bed among all the participants,
databases of photograph images will be used. Also, this test will
include video data to determine whether multiple images of a person
increase matching accuracy.
Twenty-seven organizations are participating in FRVT 2002, each testing
for a minimum of 4 days and a maximum of 11 days with its own hardware
and software (i.e., its own algorithms). The tests will perform a 100
kilobyte by 100 kilobyte comparison (comparing each face to every other
face in the database) and return the results in the form of similarity
matrixes. In preliminary tests of facial recognition, NIST has seen a
75 percent probability of verification with a 1 percent probability of
false acceptance, compared with fingerprint recognition’s 95 percent
probability of verification and 1 percent probability of false
acceptance.
Biometric Product Testing:
NPL conducted a performance evaluation of seven biometric systems from
May through December 2000, producing a final biometric product testing
report on March 19, 2001. The facial recognition portion of the test
used an Identix FaceIt Verification demonstration as well as
alternative enrollment and matching algorithms.
The 0 percent FTER included persons unable to present the required
biometric feature, those unable to produce an image of sufficient
quality at enrollment, and those unable to reproduce their biometric
feature consistently. At an FMR of about 1 percent, the facial
recognition system with the alternate matching algorithm had an FNMR of
approximately 3.3 percent. Additional experimental results were:
* The facial recognition system collected a sequence of images over a
10-second period, saving the best match. This resulted in a mean
transaction time of 15 seconds, a median of 14 seconds, and a minimum
of 10 seconds.
* The matching algorithm could make 800 matches per minute with a
Pentium processor, a Windows interface, and a Windows 2000 operating
system. These diagnostic programs had significant overhead, so the
matching algorithm may be significantly faster than the results showed,
perhaps by a factor exceeding 100.
* Tests also found that males had a lower FNMR than females, and the
FNMR for attempts made immediately following enrollment were
significantly lower than those made at a volunteer’s second or third
visit.
U.S. Army Research Laboratory Test:
For a personnel identification application, the Army Research
Laboratory tested an identification system from July through October
2001, using Identix facial recognition technology. With 270
participants, approximately 42,000 face identification attempts were
made. Despite the vendor’s claims of a 75 percent rate of correct
identification, the testing showed that only 51 percent were correctly
identified. Further, the correct identification was in the system’s top
10 possible matches only 81 percent of the time, instead of the 99.3
percent that the vendor claimed. Inadequate lighting was a primary
performance issue.
FAA Facial Recognition Test:
In 2001, FAA and Safe Skies tested a facial recognition technology
system for access control of airport employees. Following the test, the
biometric system was removed. Twenty-eight people successfully enrolled
in an average of 3 minutes and 2 seconds. The test included operational
testing in a normal environment as well as testing under a controlled
environment. The FNMR for the operational test was approximately 26
percent. Before device installation, the time required to pass through
the door was approximately 2 seconds; after installation, 11.5 seconds.
The FNMR for the controlled test was approximately 3 percent. Under
normal test conditions, the rate of passage through the door was about
six people per minute.
Test results for abnormal conditions were as follows:
* FNMR was nearly 100 percent when test subjects enrolled without
sunglasses but passed through the device with sunglasses. The opposite-
-enrolling with sunglasses and presenting with sunglasses--also yielded
an FNMR of nearly 100 percent.
* When test subjects enrolled without reading glasses but passed
through the device with reading glasses, FNMR was nearly 60 percent;
when they enrolled with and presented without reading glasses, FNMR was
nearly 20 percent.
* FNMR increased notably for one test subject of three with a 5-day
beard growth. No effect was noted for the two other subjects. The
effect was little or none for enrolling with 5-day beard growth and
then attempting access while clean-shaven.
* A horizontal ¾-inch adhesive bandage on the chin produced an overall
FNMR of 40 percent, but the results were highly dependent on the test
subject--three had a rate of 0 percent and two had a rate of 100
percent. A round bandage on the cheek produced an overall FNMR of 6
percent.
* No effect was noted from high backlighting directly; however, one
test subject with glasses was falsely rejected 10 of 10 times. Further
investigation showed a reflection on the glasses from the backlighting
from the door window.
State Department Consular Affairs Tests:
The Department of State Bureau of Consular Affairs evaluated facial
recognition technology for identifying ineligible visa applicants.
Viisage and Identix provided facial recognition software. The final
evaluation report was issued on January 30, 2001.
Laboratory testing involving data sets of 10,000 to 100,000 images
revealed that less than 30 percent of intentionally seeded duplicate
images were correctly matched. This translates into an FNMR of around
70 percent. The processing speed for facial recognition enrollment was
more than adequate. Images were aligned and enrolled at a rate of
approximately two per second for both tested products. Processing speed
for search ranged from excellent for one vendor’s product to marginal
for the other vendor’s product. In the latter case, an improved version
of the software, submitted after formal testing was completed, was
faster by a factor of two in performing searches of large data sets.
The search speed might limit its usefulness in processing a large data
set but is acceptable for daily operations.
The National Visa Center tested the technology with the diversity visa
program in the field. This trial showed that a facial recognition
system can be successful in identifying matches involving duplicate
applications. More than 500 matches were found while examining more
than 5,000 of 35,000 possible duplicate images. Of these 500 and more,
146 represented cases that had not been discovered by other means. This
success was obtained despite the obviously poor quality of the pictures
submitted, the poor capture characteristics of the Quickcam cameras
used, and the less than optimal scanning technique the data entry
personnel used. It was observed that Identix’s product was more
forgiving of the image quality problems and generally reported more
matches.
Despite the vendors’ cooperative, responsive, and interactive approach
in supplying testable products and engineering support, the facial
recognition software packages, even in their “final” versions,
following numerous developmental versions, exhibited significantly
troublesome behavior--such as corrupt databases, poorly implemented
capabilities, and the need for workaround solutions--that impeded
testing.
Border Control Applications Piloted and Deployed:
INS SENTRI:
INS conducted a facial verification test for the Secure Electronic
Network for Travelers Rapid Inspection (SENTRI) from November 1997
through July 1998 at California’s Otay Mesa port of entry. The facial
verification test involved taking video images of drivers at an
inspection booth. The video clips were compared to the SENTRI
enrollment database of photographs for all drivers in the SENTRI lane.
An Identix system was used for the tests.
The experiment found that pictures taken in a full frontal enrollment
pose showed a significantly higher recognition rate than pictures taken
when the head was rotated slightly. It also found a principal
identification problem when the image was obtained during validation.
Obscured faces that were hidden by part of the vehicle and those with
excessive glare or extreme shadows were essentially unusable. In
testing, the proportion of video clips exhibiting these properties was
initially very high. Adding cameras increased the chance of getting an
unobstructed video clip. A new camera system using fuzzy logic helped
reduce glare and shadows.
With these changes, the system was able to get usable images for
approximately 90 percent of the vehicles in a lane. With such images,
the system had an FNMR of 1.6 percent and a low EER of 2.1 percent. The
report concluded that the facial verification system performed
admirably in a challenging environment.
State Department Posts:
The State Department is conducting pilots using facial recognition
technology from Identix and Viisage to compare images from 23 of its
posts. The facial recognition software is used primarily to compare
digital pictures in one-to-many matching to identify people who apply
more than once for nonimmigrant visas or diversity visas.[Footnote 46]
A secondary one-to-many matching of photographs from both previously
issued visas and new visa applications is performed against a watch
list database. The photographs from all visa applications are scanned
into the system, regardless of whether visas are issued or applications
are rejected. All scanned images (not just the templates) are retained
in case future versions of the facial recognition software use a
different template format.
The primary performance factor for the State Department pilots has been
the quality of the photographs submitted with applications. The better
the quality of the photographs is, the more likely it is that match
results will be good. It was found that many of the images in the
databases are poor in quality--either too dark or too light for facial
recognition, poorly focused, or distorted in some other way.
Consequently, the State Department is working to develop standards for
photograph quality. Age was found to be a performance factor. For
example, both Identix and Viisage have found it difficult to match
children because their faces change rapidly. However, State Department
officials have not noticed any appreciable differentiation in the
quality between the Identix and Viisage match algorithms.
Of approximately 197,000 images (applicants’ photographs) for diversity
visas processed in the 2002 program year, 75 percent were successfully
enrolled in the diversity visa facial recognition database. The images
from the 74,348 successful applications were matched against the
enrollment database. About 6,000 candidate matches were made; 85
percent were determined to be actual matches. The facial recognition
technology identified 60 individuals who submitted multiple
applications that were not detected by the manual process.
In October 2001, 23 posts processed approximately 26,000 nonimmigrant
visa images, of which 78 percent were successfully enrolled in the
nonimmigrant visa facial recognition database. For all 23 posts, around
4,000 candidate matches were made. The percentage of actual matches
varied by post, as one post’s matching had an FMR of 1 percent, and
another post’s matching resulted in an FMR of 65 percent.
Iceland:
One of the first major installations of facial recognition technology
at an airport was at Iceland’s Keflavik International Airport in June
2001. As a result of Iceland’s participation in Europe’s Schengen
agreement, border controls between that country and others
participating in the agreement have been eliminated.[Footnote 47] The
facial recognition system was implemented to identify known criminals
and false asylum seekers while maintaining a level of convenience for
citizen travelers.
Israel:
The Basel Project is a pending implementation of facial recognition and
hand geometry for day workers entering and exiting Israel by way of the
Gaza Strip. Fingerprint technology was rejected, since the primary
users are laborers whose fingerprints are unreliable as a biometric for
matching.
Individuals enrolling at the Israeli-Palestinian land border will
receive a contactless smart card with a high-resolution picture and a
hand geometry biometric. As they enter and leave Israel, they will be
processed through 42 routing passages to unattended checkpoints at
verification terminals inside a building. An estimated 60,000
verifications will be processed daily, performing a one-to-one match
against a stored template in a central server, with a backup stored on
the smart card.
Australia:
Australia’s Sydney Airport is conducting a facial recognition pilot to
determine cost effectiveness and efficiency in an operational
environment. The technology is being used for both verification and
identification. One-to-one verification is performed to identify false
passports as travelers present their passports, and one-to-many
identification is used to identify terrorists among the crowds.
Dominican Republic:
The Dominican Republic is implementing Identix’s facial recognition
technology for scanning passports at 120 entry points. The system will
capture a face biometric, which will be used in a search against a
central criminal watch list database. If another biometric is needed in
the future, the passport reader will also be capable of reading a
fingerprint.
Processing Issues:
Processing speed for facial recognition enrollment is approximately two
images per second. The raw search speed is one million searches per
second on a single computer, but other factors are involved, such as
the size of the database. For an identification application, search
speed can be dramatically improved by storing some templates on a disc
during alignment for use during later searches. A facial recognition
system can be designed to achieve a desired response time by increasing
the number of processors, but the trade-off to increased speed is
greater cost.
Because facial recognition biometrics can be used in various
applications, different requirements affect performance time
differently. The requirements for performing a background check and a
duplicate face check at enrollment would differ from those for
performing verifications at borders. Verifications at a border would be
practically instantaneous if performing a one-to-one match against a
template stored on a travel document or a smart card, but an additional
one-to-many watch list search would add time, depending on the size of
the database. Facial recognition results in a faster response time than
fingerprint recognition in a one-to-many search. The implication of a
heavily queried database is that a priority level must be assigned to
determine when the various transactions are to be handled.
Device Durability and Environmental Constraints:
In surveillance applications, travelers would not interact physically
with the cameras and computers that run the facial recognition
technology. The durability of this equipment would depend on the
manufacturer’s specifications.
Because lighting is such a major performance factor, the use of awnings
or shades with outdoor installations of facial recognition technology
could be required to block direct light. Without awnings or shade,
glare or shadows might present a problem that could be compounded by
reflections from nearby buildings or vehicles.
[End of section]
Appendix V: Iris Recognition Technology:
Iris recognition technology was developed in 1992 and is therefore one
of the newest of the commercially available biometric technologies. It
is based on the distinct, visible characteristics of the eye’s iris,
the colored ring that surrounds the pupil (see figure 49). Built from
elastic connective tissue, the iris is a very rich source of biometric
data. The characteristics of the iris are formed during the eighth
month of gestation and do not change except through actions such as
refractive surgery, cataract surgery, and cornea transplants. Iris
recognition can even be used to verify the identity of blind people as
long as one of their sightless eyes has an iris.
Figure 49: The Iris and Other Parts of the Eye:
Source: Copyright, the American Academy of Ophthalmology.
[See PDF for image]
[End of figure]
The iris has more numerous and dense forms of variability than other
biometrics. Whereas traditional biometrics have only 13 to 60 distinct
characteristics, the iris can be said to have 266 unique spots, and
iris recognition technology uses some 173 of these features. The
primary visible characteristic of the iris is the trabecular meshwork,
tissue that gives the appearance of dividing the iris radially. Other
features include striations, rings, furrows, a corona, and freckles.
Besides the iris’ many distinctive characteristics, its patterns also
differ substantially from person to person. A person’s left and right
eyes have different iris patterns, and the irises of identical twins
have almost no statistical similarity. It has been postulated that the
probability of two persons having the same iris pattern is 1 in 7
billion.
How the Technology Works:
An iris recognition system uses a small high-quality camera to capture
a black-and-white, high-resolution picture of the iris. The technology
relies on infrared imaging, using wavelengths from 700 to 900
nanometers, a range the American Academy of Ophthalmology has stated is
safe.
How close the person should be to the camera and her level of
participation depend on the type of system. Physical access control
applications require a person to stand within 3 to 10 inches of the
camera and center the iris in a mirror within an area 1 inch square
directly in front of the camera (see figure 50). The system may prompt
the person to move slightly forward or backward to allow a proper image
capture. Systems using desktop cameras to control logical access to
computers and networks require a distance of about 18 inches to capture
the iris image (see figure 51). Users must center their eyes on the
camera with a guidance light or hologram. Personal identification
systems, such as those at airport kiosks in trusted traveler
applications, allow users to stand as far away as 3 feet. However,
users must remain still as the camera locates the eye and captures the
image.
Figure 50: Iris Recognition Physical Access Control System:
Source: Panasonic Digital Communications & Security Co.
[See PDF for image]
[End of figure]
Figure 51: Iris Recognition System with Desktop Camera:
Source: Panasonic Digital Communications & Security Co.
[See PDF for image]
[End of figure]
An iris recognition system first defines the boundaries of the iris,
establishes a coordinate system over the iris, and defines the zones
for analysis within the coordinate system. Feature extraction
algorithms map the segments of the iris into hundreds of independent
vectors that define the orientation and spatial frequency of the
distinctive features, along with the position of the features. However,
the entire iris is not used: A portion of the top as well as 45 degrees
of the bottom remain unused, to account for pupil dilation, occlusion
from eyelids, and reflection from the camera (see figure 52).
Figure 52: Mapping the Eye for Iris Recognition Systems:
Source: Dr. John Daugman, Cambridge University, Cambridge, U.K.
[See PDF for image]
[End of figure]
Algorithms also check for the presence of a pattern on the sphere of
the eye instead of on an internal plane and use measurements at
different wavelengths to determine that the eye is living. The visible
characteristics within the zones are then converted into a 512 byte
template that is used to identify or verify the identity of an
individual; 256 of these bytes contain control information.
The Leading Vendors:
Iridian Technologies Inc. is the sole owner and developer of iris
recognition technology. Iridian markets applications through hardware
manufacturers and systems integrators, including Argus Solutions,
EyeTicket Corp., IBM, Joh. Enschede Security Solutions, LG Electronics,
NEC Singapore, Oki Electric Industry Co., Panasonic, SAFLINK Corp.,
Siemens AG, Titan Corp., and Unisys.
The Cost of Devices:
Iris recognition systems cost approximately $2,000 for physical access
units. The camera itself costs $200.
Performance Issues:
Some users are unable to provide adequate enrollment images because
they find the iris image capture process too difficult. Poor eyesight
may also hinder the ability of some people to line up their eyes with
the camera. Colored and bifocal contact lenses can affect system
performance, and so can exceptionally strong glasses. People with
glaucoma may not be reliably identified. Also, glare and reflections,
along with user settling and distraction, can cause interference.
User Acceptance:
Some people resist technologies that scan the eye, but unlike biometric
identification and verification technologies such as fingerprint
recognition or hand geometry, iris recognition technology requires no
body contact. Iris recognition technology is more user friendly than
retina recognition systems in that no light source is shone into the
eye and close proximity to the scanner is not required. However, iris
recognition does use active infrared illumination in the 700 to 900
nanometer wavelength range. It has none of the inherent risks
associated with lasers. Some people assume that the imaging of their
irises will reveal their medical data, such as heart disease, diabetes,
and high blood pressure, but images of the iris acquired for iris
recognition reveal no information about a person’s health.
The Technology’s Maturity:
Operational Uses:
Iris recognition is being used operationally for physical access
control, logical access control, and personal identification
applications. An EyeTicket access control system was installed at
Douglas International Airport in Charlotte, North Carolina, in July
2000 to control airline and airport employee access to restricted
areas. The company has also installed the access control system at
Germany’s Frankfurt Airport. Iridian has installed IrisAccess™ at
Baltimore Technologies’ data hosting center in Sydney, Australia.
Access to the highly secure facility requires that anyone requesting
entry verify her identity with both a proximity card and the iris
recognition technology.
The Office of Legislative Counsel for the U.S. House of Representatives
has recently installed an iris recognition system to protect
confidential computer files and working documents. Iris recognition
systems have been deployed in several prison systems in the United
States to prevent inmates from swapping identities with visitors as
well as to verify the identity of prisoners before they are released.
Tests:
Biometric Product Testing:
NPL conducted a performance evaluation of seven biometric systems from
May through December 2000. The iris portion used Iridian’s IriScan
System 2200. The FTER was 0.5 percent. The FMR was 0 percent and the
iris recognition system had an FNMR of 1.9 percent. Additional
experimental results were that:
* the iris system had a mean transaction time of 12 seconds, a median
of 10 seconds, and a minimum of 4 seconds;
* the matching algorithm could make 1.5 million matches per minute when
using a SunUltra5 with a SunOS 5.8 operating system, 270 MHz processor,
and 128 Mb of memory; and:
* people without glasses had a lower FNMR than those with glasses.
U.S. Army Research Laboratory:
The U.S. Army Research Laboratory recently tested an Iridian
verification system. There were 186,918 eye identification attempts on
93,459 registrations. The FMR was well below 1 percent. Despite the
vendor’s claims of greater than 99.5 percent correct identification,
the testing showed a 6 percent FNMR; glare and reflections appeared to
be primary culprits in this discrepancy. User settling and distraction
also contributed to the problem.
Sandia National Laboratories:
In April 1996, Sandia National Laboratories evaluated a prototype
biometric recognition system provided by IriScan. Average enrollment
time was 2 minutes and 15 seconds. During the first phase of the test,
there was a raw FNMR of 11.8 percent. After removing the errors that
could be attributed to extreme environmental conditions or deliberate
misuse, the FNMR became 10.2 percent. The average transaction time of a
sampling of transactions was 14 seconds. The minimum transaction time
recorded was 6 seconds, the maximum 23 seconds. Users attempted 96
false match transactions with no actual false matches. Overall, the
researchers concluded that the system performed extremely well in
difficult conditions.
c’t Magazine:
Researchers at c’t Magazine in Germany set out to see whether they
could fool Panasonic’s Authenticam BM-ET100, a desktop iris recognition
system. The investigators’ first attempts to spoof the system by using
iris images projected on monitors failed because of the too intense
reflection of light. However, they succeeded in beating the system by
holding up to the camera a high-resolution picture of an iris with a
tiny hole cut out to allow the pupil of a live eye shine through. They
also found it possible to enroll with the aid of this artificial eye.
From that point on, anyone in possession of the eye pattern was able to
log on to the system. Moreover, the system also matched the iris of the
person whose picture had been used to create the artificial eye with
the enrolled reference template.
Border Control Applications Piloted and Deployed:
United Kingdom:
Iris recognition has been used in some border control environments. For
example, beginning in July 2001, frequent travelers on transatlantic
Virgin Atlantic Airways and British Airways flights have been able to
bypass passport control at London’s Heathrow Airport, without waiting
in line for an immigration agent. In trial runs, 2,000 American and
Canadian passengers have undergone identity checks by British
immigration officers before being enrolled. Once registered and
enrolled, they can proceed, as arriving passengers, directly to
specific lanes to verify their identity against a biometric template
stored in a central database (see figures 53 and 54). If the
verification is successful, they are issued a ticket admitting them
directly to the United Kingdom. The trial is being operated by the
airlines and involves no changes to passports.
Figure 53: Iris Recognition Device for Border Control at London’s
Heathrow Airport:
Source: EyeTicket Corporation.
[See PDF for image]
[End of figure]
Figure 54: Border Control Lane with Iris Recognition Device at London’s
Heathrow Airport:
Source: EyeTicket Corporation.
[See PDF for image]
[End of figure]
Canada:
The Canada Customs and Revenue Agency has initiated the Expedited
Passenger Processing System, which will include iris recognition
technology. The system will allow frequent travelers to expedite
inspection. It is planned to be operational at Lester B. Pearson
International Airport in Toronto and Vancouver International Airport at
the beginning of 2003. An enrollment of about 200,000 spread out over 5
years is expected. The plan is to use a central database for storing
the iris templates. Initially, it was not clear whether computer
performance would allow for a central database, so provision was made
for a token to store the biometric. However, testing has shown that
doing the checks centrally does not significantly affect performance
time. Either one-to-one matches (with an identifying token) will be
made or one-to-many, with the system identifying applicants by the iris
match.
Netherlands:
In October 2001, an iris recognition system was installed at
Amsterdam’s Schiphol Airport. The system expedites the way for
travelers from 18 European countries into the Netherlands and includes
about 2,000 frequent travelers. Users must go through a two-phase
process. First, passengers undergo a background check, a passport
review, and an iris scan. The template is encrypted and embedded on a
smart card. This phase takes about 15 minutes. The second phase
identifies and verifies each registered traveler at the immigration
checkpoint. The traveler’s reference template is compared with a real-
time scan of the iris. This process typically takes about 10 to 15
seconds and allows the passenger to bypass long immigration lines. The
Schiphol program charges each enrolled traveler a yearly fee of $89 to
use the system. The FNMR is less than 1 percent; the FMR is less than
0.001 percent.
Singapore:
Iris recognition is used to admit workers who travel into Singapore
from Malaysia each day by motorcycle. The workers’ irises are scanned
by a camera installed in kiosks in designated lanes, instead of their
having to present their paperwork to an official. About 50,000 workers
cross the border each day.
Saudi Arabia:
In February 2002, at the King Abdul Aziz Airport in Jeddah, Saudi
Arabia, iris recognition tracked and identified visitors who were on
pilgrimage for the Hajj season of worship. The process included a
random check at passport control, enrollment into a database, and
subsequent identification on departure. The systems were in place to
ensure that visitors did not overstay their visas and also to identify
potential security threats. It is estimated that images of 20,000 to
30,000 irises were collected.
Processing Issues:
Although iris recognition systems can perform both one-to-many
identification and one-to-one verification, they are deployed primarily
for identification. In some processors, iris recognition technology can
search hundreds of thousands of records per second. Very few biometrics
have the capability of iris recognition for a high-speed exhaustive
search of a database.
Device Durability and Environmental Constraints:
Because iris recognition systems use infrared illumination, they can be
used in the dark. Their durability depends greatly on the
specifications of the system’s individual components.
[End of section]
Appendix VI Cost Estimates for Using Biometrics for Border Security:
For each of the four scenarios, we created cost models to estimate the
cost of developing, implementing, and maintaining various biometric
systems. Besides including the cost of purchasing the biometric
hardware, we estimated costs for additional hardware, software,
maintenance, personnel, training, and effects on other procedures in
order to derive life-cycle cost estimates. We followed the cost element
structure that DOD uses at acquisition program milestone and decision
reviews to assess major automated information systems costs. Tailoring
this structure to reflect our four scenarios, we used it to standardize
costs so that they could be compared at a high level. We present the
costs in two parts. Initial costs represent the costs required to plan,
design, develop, and field the system. Recurring costs represent the
annual costs required to operate and continually maintain the system to
keep it in operation.
Initial Cost Elements:
We estimated seven sets of initial cost elements: costs for systems
engineering and program management; development, installation, and
training; biometric hardware; biometric software; network
infrastructure; renovating consular facilities; and hardware
infrastructure upgrades.
Systems engineering and program management costs included both program
management activities and government in-house engineering efforts to
design, develop, and test the biometric system. For the watch list
scenarios, we used an engineering build-up of personnel and their
respective costs. For issuing visas and passports with biometrics, we
used an overall factor of the total initial cost to estimate this
effort.
Development, installation, and training costs included all resources
required to design, develop, test, and implement a biometric system.
For the watch list scenarios, we used an analogy to the Consular
Lookout and Support System (CLASS) to estimate the cost of developing
and implementing a watch list database. For issuing visas and passports
with biometrics, we used an analogy to IAFIS and applied an engineering
scaling factor to account for additional biometric storage space.
Biometric hardware costs included costs for biometric scanners, token
card readers, and token cards for storing biometric data as well as
costs for the personal computers to make these devices function
properly. To estimate costs, we used average vendor costs where
available and, in other cases, we relied on expert opinion.
Biometric software costs included the licensing cost for biometric
scanners, card readers, and database software. For the watch list
scenarios, we used cost estimates provided by the State Department,
based on analogy to CLASS. For issuing visas and passports with
biometrics, we assumed this cost was already included in the
development cost for IAFIS.
Network infrastructure included costs associated with purchasing and
installing the local area networks needed to establish the connectivity
required by the biometric systems. For the watch list scenarios, we
used cost estimates provided by the State Department, based on an
analogy to CLASS. For issuing visas and passports with biometrics, we
used an analogy to a trusted traveler cost estimate developed by IBG.
To issue visas with biometrics, additional space at the consulates and
embassies will be required to accommodate the new process of capturing
applicantsí biometrics. For the watch list scenarios, the consular
facility cost is for the renovation of primary and contingency space
for the new computer systems. We used square foot data provided by the
State Department to estimate this cost. We did not include costs for
the collection of biometrics at passport acceptance offices because
most of these are not State Department facilities, and we had no basis
on which to estimate the appropriate amount of space for these offices.
Hardware infrastructure upgrades included the cost to refresh hardware
every 3 years. To estimate this element, we calculated the cost to
replace one-third of the hardware annually, an accepted industry
standard and the practice for the State Departmentís visa and passport
sites.
Recurring Cost Elements:
We estimated 10 sets of recurring cost elements: program management,
biometric hardware maintenance, software and system maintenance,
network infrastructure maintenance, consular operating personnel, port
of entry operating personnel, communications, training, consular
facility maintenance, and annual supplies.
Program management included the cost of providing continuing program
management over the systemís useful life. To estimate this cost for the
watch list scenarios, we used an engineering build-up of personnel and
their respective costs. For issuing visas and passports with
biometrics, we estimated this cost to be 20 percent of the initial
systems engineering and program management cost.
Biometric hardware maintenance included the cost of providing
maintenance and repair for the biometric and system hardware. We used
an average factor of 12.5 percent, based on a 10 percent to 15 percent
range IBG provided in its trusted traveler cost estimate.
Software and system maintenance costs included annual software
licensing for databases plus costs for personnel to upgrade and
maintain them. For the watch list scenarios, we used an engineering
build-up of personnel and their respective costs. For issuing visas and
passports with biometrics, we used an analogy to IAFIS annual system
costs, applying the engineering scaling factor to account for
additional database storage of the various biometrics.
Network infrastructure maintenance included the cost of providing
hardware and software maintenance for the network. For the watch list
scenarios, we used data from the State Department, based on its
experience from CLASS. For issuing visas and passports with biometrics,
we used the same factor of 12.5 percent that was used for estimating
hardware maintenance.
The costs for consular operating personnel are for visa operating
personnel at embassies and consulates around the world or for passport
operating personnel at passport acceptance offices. For the checking of
a biometric watch list before issuing visa, we estimated that one
additional staff member per embassy or consulate would be required to
resolve watch list hits. We did not include additional staff for
checking a biometric watch list before issuing a passport. For the
issuance of visas with biometrics, we first estimated the number of
personnel needed at the consulates, using time to capture the
biometrics as a variable. We then estimated the cost for the foreign
service nationals who would perform the capturing, the foreign service
officers who would oversee them, and auxiliary consulate staff to
assist during peak load times. The annual costs for all visa operating
personnel and the one-time moving costs for new foreign service
nationals and officers were provided to us by the State Department. For
the issuance of passports with biometrics, we assumed one staff member
per passport acceptance office to troubleshoot problems with the
biometric equipment.
Port of entry operating personnel include staff to troubleshoot
biometrics at ports of entry. To estimate costs for these personnel, we
made the assumption that there would be three staff per port of entry
who would be trained and able to troubleshoot problems arising from
biometric capturing or the inability to match biometric data.
The costs of communications included the cost of maintaining a wide
area network able to provide secure electronic connectivity from the
consular and port of entry sites to a headquarters location for
comparing biometrics. To estimate this element, we used an analogy to
IAFIS communication costs with a cost-per-location methodology.
Training included the costs to train personnel in using biometrics,
including the cost of travel. We used an average of $5,000 per staff
annually to estimate this cost.
The cost of maintaining consular facilities included maintaining newly
acquired space. We used data on cost per square foot provided by the
State Department.
In estimating the cost of annual supplies, we included the cost to
purchase biometric token cards for the storage of biometrics collected
for issuing passports and visas. This cost also includes the amortized
cost of the infrastructure required to produce the cards, including
elements such as centralized certificate issuance servers, key
management components, and the card management infrastructure. We used
data provided by the State Department for the Mexican border crossing
card.
Assumptions:
We prepared the life-cycle cost estimates using fiscal year 2002
constant dollarsóthat is, inflation was not considered for the multiple
years over which funds would be required for acquisitionóand they
represent rough order of magnitude costs. Following are the assumptions
that frame the boundary of our cost estimates.
* Scenario life-cycle cost estimates represent development and
installation time plus 10 yearsí operational life.
* Phasing of costs over time is simplified, and actual schedules to
both develop and install equipment and infrastructure will most likely
differ.
* Biometric technologiesófingerprint, facial, and iris
recognitionórepresent standardization to a single vendorís protocols.
Biometric technology costs represent the average costs of vendorsí
products. Four flat fingerprints will be collected for fingerprint
recognition.
* There are 210 visa-issuing embassies and consulates worldwide. There
are 4,500 passport acceptance offices. There are 3,950 primary and
secondary inspection stations at 400 ports of entry.
* Personnel costs reflect both direct costs and indirect costs. Three
personnel will be needed to troubleshoot equipment at ports of entry,
or 1,200 additional staff.
No costs were estimated for:
* additional inspectors at ports of entry,
* additional facility space for passport acceptance offices or at ports
of entry for primary and secondary inspections,
* biometric equipment for exiting the United States, and:
* biometric security technology (e.g., encryption of biometric data).
Estimated Costs for Conducting Watch List Checks with Biometrics:
We used the following assumptions to create the cost estimates for the
two biometric watch list scenarios:
* The watch list database will include 10 million records.
* Matches will be performed using facial recognition technology.
* To conduct watch list checks before issuing travel documents, facial
images will be generated by capturing the physical photographs
applicants present when they apply for a visa or passport.
* The images will be collected and scanned at consulates and embassies
for visas and at passport acceptance offices and transmitted through
telecommunications resources to a central facility in metropolitan
Washington, D.C.
The estimated costs for conducting biometric watch list checks before
travelers are issued travel documents and before they enter the country
are shown in table 26.
Table 26: Estimated Costs for Watch List Checks before Issuing Travel
Documents and before Entering the United States:
[See PDF for image]
Note: In thousands of fiscal year 2002 constant dollars.
[A] Numbers do not sum because of rounding.
Source: GAO analysis.
[End of table]
Estimated Costs for Issuing Visas with Biometrics:
We developed cost estimates for six different combinations of biometric
technologies under two different possibilities for issuing visas. The
State Department receives about 10.3 million visa applications each
year. In fiscal year 2000, INS estimated that approximately 14 million
individuals traveled under the visa waiver program. If these travelers
must obtain a visa to travel to the United States, we assume that this
same number would also be required to have their biometric sample
collected. We used the following assumptions to estimate the costs of
adding biometrics to visas:
* The number of visa applicants will remain constant at 10.3 million
annually. The number of travelers in the visa waiver program will
remain constant at 14 million annually.
* Enrolling travelers using a single biometric (whether for
fingerprint, facial, or iris recognition) is estimated at 6 minutes (10
applicants enrolled per hour).
* Enrolling travelers using multiple biometrics (for example,
fingerprint and facial combined, fingerprint and iris combined, or
fingerprint, facial, and iris combined) is estimated at 10 minutes (6
applicants enrolled per hour).
* All current visa-issuing embassies and consulates will be equipped to
collect biometrics from visa applicants.
Costs were not included for additional inspectors or facility space at
ports of entry. Tables 27-32 show the cost of issuing visas with
biometrics using fingerprint recognition, iris recognition, facial
recognition, fingerprint and iris recognition, fingerprint and facial
recognition, and fingerprint, iris, and facial recognition.
Table 27: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint Recognition:
Cost element: Investment costs; Cost element: [Empty]; Annual visa
applicants: 10.3 million with visa waiver program: Annual recurring
cost:
[Empty]; Annual visa applicants: [Empty]; Annual visa applicants: 24.3
million without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Cost element:
$111,147; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: $145,645; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Development; installation; training; Cost element:
527,655; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 558,936; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric hardware; Cost element: 219,033; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 443,241; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Cost element: 152,500; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 152,500; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Cost element: 335,781;
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 463,606; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: $79,114; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $93,986.
Cost element: Operations and support; Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Program management; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 22,229; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 29,129.
Cost element: Biometric hardware maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 10,905; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 16,538.
Cost element: Software and system maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 73,123; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 125,292.
Cost element: Network infrastructure maintenance; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 19,063; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 19,063.
Cost element: Visa operating personnel; Cost element: 75,926; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 111,626; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 114,903; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,603.
Cost element: Port of entry operating personnel; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 94,679; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Communications; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 20,577; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Recurring training; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 32,472; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,040.
Cost element: Consular facility maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 89,541; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 123,628.
Cost element: Annual supplies (cards); Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 154,809; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Total; Cost element: $1,422,042; Annual visa applicants:
10.3 million
with visa waiver program: Annual
recurring cost: $708,138; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: $1,878,832; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $1,076,765.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 28: Estimated Costs for Issuing Visas with Biometrics Using Iris
Recognition:
Annual visa applicants: Annual visa applicants : 10.3 million
with visa waiver program: [Empty].
Cost element: Investment; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: $110,925; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: $145,375; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Development; installation; training; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: 527,655; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 558,936; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric hardware; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 216,563; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 440,240; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 152,500; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 152,500; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: 335,781; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 463,606; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: $78,298; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $92,996.
Cost element: Operations and support; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Program management; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 22,185; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 29,075.
Cost element: Biometric hardware maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 10,596; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 16,163.
Cost element: Software and system maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 73,123; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 125,292.
Cost element: Network infrastructure maintenance; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 19,063; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 19,063.
Cost element: Visa operating personnel; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 75,926; Annual visa applicants:
10.3 million
with visa waiver program: Annual recurring cost: 111,626; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 114,903; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,603.
Cost element: Port of entry operating personnel; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 94,679; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Communications; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 20,577; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Recurring training; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 32,472; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,040.
Cost element: Consular facility maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 89,541; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 123,628.
Cost element: Annual supplies (cards); Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 154,809; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Total; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: $1,419,349; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: $706,970; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: $1,875,562; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $1,075,346.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 29: Estimated Costs for Issuing Visas with Biometrics Using
Facial Recognition:
Annual visa applicants: Annual visa applicants : 10.3 million
with visa waiver program: [Empty].
Cost element: Investment: [Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: Investment: [Empty];
Annual visa applicants: Investment: [Empty]; Annual visa applicants:
24.3 million
without visa waiver program: Initial cost: Investment: [Empty]; Annual
visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: Investment: [Empty].
Cost element: Investment: Systems engineering and program management;
Cost element: $109,258; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: $143,350; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Development; installation; training; Cost
element: 527,655; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 558,936; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Initial biometric hardware; Cost element:
198,037; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 417,737; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Initial biometric software; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Network infrastructure; Cost element:
152,500; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 152,500; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Consular facility renovation; Cost element:
335,781; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 463,606; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Hardware infrastructure upgrade; Cost
element: [Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: $72,185; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $85,570.
Cost element: Investment: Operations and support; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Investment: Program management; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 21,852; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 28,670.
Cost element: Investment: Biometric hardware maintenance; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 8,280; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 13,350.
Cost element: Investment: Software and system maintenance; Cost
element: [Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 73,123; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 125,292.
Cost element: Investment: Network infrastructure maintenance; Cost
element: [Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 19,063; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 19,063.
Cost element: Investment: Visa operating personnel; Cost element:
75,926; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 111,626; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: 114,903; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,603.
Cost element: Investment: Port of entry operating personnel; Cost
element: [Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 94,679; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Investment: Communications; Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 20,577; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Investment: Recurring training; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 32,472; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,040.
Cost element: Investment: Consular facility maintenance; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 89,541; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 123,628.
Cost element: Investment: Annual supplies (cards); Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual recurring cost: 154,809; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Investment: Total; Cost element: $1,399,156; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: $698,207; Annual visa
applicants: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Initial cost: $1,851,033; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $1,064,702.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 30: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint and Iris Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$151,218; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: $193,935; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Development; installation; training; Initial cost:
820,165; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 867,087; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 253,098; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 495,336; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 228,750; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 228,750; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: 378,188;
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 563,655; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: $119,315; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $145,299.
Cost element: Operations and support; Initial cost: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 30,244; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,787.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 16,601; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 26,444.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 96,591; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 176,331.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 28,594; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 28,594.
Cost element: Visa operating personnel; Initial cost: 95,044; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 130,744; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: 160,006; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 195,706.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 94,679; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 20,577; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Recurring training; Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 70,405; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 88,966.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 100,850; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,308.
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 154,809; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Total; Initial cost: $1,926,463; Annual visa applicants:
10.3 million
with visa waiver program: Annual
recurring cost: $863,409; Annual visa applicants: [Empty]; Annual visa
applicants: 24.3 million
without visa waiver program: Initial cost: $2,508,769; Annual visa
applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $1,330,920.
Note: In thousands of fiscal year 2002 constant dollars.
Source: GAO analysis.
[End of table]
Table 31: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint and Facial Recognition:
Annual visa applicants: Annual visa applicants : 10.3 million
with visa waiver program: [Empty].
Cost element: Investment; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: $149,375; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: $191,495;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Development; installation; training; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: 820,165; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: 867,087;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric hardware; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 232,621; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: 468,231;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 228,750; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: 228,750;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: 378,188; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: 563,655;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: $112,557; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $136,354.
Cost element: Operations and support; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: [Empty]; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Program management; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 29,875; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,299.
Cost element: Biometric hardware maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 14,042; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 23,056.
Cost element: Software and system maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 96,591; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 176,331.
Cost element: Network infrastructure maintenance; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 28,594; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 28,594.
Cost element: Visa operating personnel; Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: 95,044; Annual visa applicants:
10.3 million
with visa waiver program: Annual recurring cost: 130,744; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: 160,006;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 195,706.
Cost element: Port of entry operating personnel; Annual visa
applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 94,679; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Communications; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 20,577; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Recurring training; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 70,405; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 88,966.
Cost element: Consular facility maintenance; Annual visa applicants:
10.3 million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 100,850; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,308.
Cost element: Annual supplies (cards); Annual visa applicants: 10.3
million
with visa waiver program: Initial cost: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: 154,809; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: [Empty];
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Total; Annual visa applicants: 10.3 million
with visa waiver program: Initial cost: $1,904,143; Annual visa
applicants: 10.3 million
with visa waiver program: Annual recurring cost: $853,723; Annual visa
applicants: [Empty]; Annual visa applicants: Initial cost: $2,479,223;
Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $1,318,099.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 32: Estimated Costs for Issuing Visas with Biometrics Using
Fingerprint, Iris, and Facial Recognition:
Annual visa applicants: Annual visa applicants : 10.3 million
with visa waiver program: [Empty].
Cost element: Investment; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Systems engineering and program mnagement; Cost element:
$177,371; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: $221,694; Annual visa applicants: 24.3
million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Development; installation; training; Cost element:
1,027,676; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: 1,090,238; Annual visa applicants: 24.3
million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric hardware; Cost element: 259,924; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: 504,372; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Cost element: 305,000; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: 305,000; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Cost element: 378,188;
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: 563,655; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: $150,527; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: $182,402.
Cost element: Operations and support; Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: [Empty]; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: [Empty].
Cost element: Program management; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 35,474; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 44,339.
Cost element: Biometric hardware maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 18,893; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 30,967.
Cost element: Software and system maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 119,661; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 226,432.
Cost element: Network infrastructure maintenance; Cost element:
[Empty]; Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 38,125; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 38,125.
Cost element: Visa operating personnel; Cost element: 95,044; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 130,744; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: 160,006; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 195,706.
Cost element: Port of entry operating personnel; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 94,679; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 94,679.
Cost element: Communications; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 20,577; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 20,577.
Cost element: Recurring training; Cost element: [Empty]; Annual visa
applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 105,608; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 133,449.
Cost element: Consular facility maintenance; Cost element: [Empty];
Annual visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 100,850; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 150,308.
Cost element: Annual supplies (cards); Cost element: [Empty]; Annual
visa applicants: 10.3 million
with visa waiver program: Annual
recurring cost: 154,809; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: [Empty]; Annual visa applicants: 24.3 million
without visa waiver program: Annual
recurring cost: 365,229.
Cost element: Total; Cost element: $2,243,202; Annual visa applicants:
10.3 million
with visa waiver program: Annual
recurring cost: $969,947; Annual visa applicants: [Empty]; Annual visa
applicants: Initial cost: $2,844,964; Annual visa applicants: 24.3
million
without visa waiver program: Annual
recurring cost: $1,482,212.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Estimated Costs for Issuing Passports with Biometrics:
We used the following assumptions to estimate the costs of adding
biometrics to passports:
* The number of passport applicants will remain constant at 7 million
annually.
* Enrolling travelers using a single biometric (whether for
fingerprint, facial, or iris recognition) is estimated at 6 minutes (10
applicants enrolled per hour).
* Enrolling travelers using multiple biometrics (for example,
fingerprint and facial combined, fingerprint and iris combined, or
fingerprint, facial, and iris combined) is estimated at 10 minutes (6
applicants enrolled per hour).
* All current passport acceptance offices will be equipped to collect
biometrics passport applicants.
Costs were not included for additional inspectors or facility space at
ports of entry. Costs are also not included for additional facility
space at passport acceptance offices.
Tables 33-38 show the cost of issuing passports with biometrics using
fingerprint recognition, iris recognition, facial recognition,
fingerprint and iris recognition, fingerprint and facial recognition,
and fingerprint, iris, and facial recognition.
Table 33: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$370,797; Annual recurring cost: [Empty].
Cost element: Development; installation; training; Initial cost:
2,665,282; Annual recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 229,685; Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 1,225,000; Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual recurring cost: $450,488.
Cost element: Operations and support; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual
recurring cost: 74,159.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual recurring cost: 17,514.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual recurring cost: 58,146.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual recurring cost: 153,125.
Cost element: Passport operating personnel; Initial cost: [Empty];
Annual recurring cost: 443,805.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Recurring training; Initial cost: [Empty]; Annual
recurring cost: 53,875.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
recurring cost: 105,210.
Cost element: Total; Initial cost: $4,490,764; Annual
recurring cost: $1,573,965.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 34: Estimated Costs for Issuing Passports with Biometrics Using
Iris Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$370,366; Annual recurring cost: [Empty].
Cost element: Development; installation training; Initial cost:
2,665,282; Annual recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 224,898; Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 1,225,000; Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual recurring cost: $448,908.
Cost element: Operations and support; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual
recurring cost: 74,073.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual recurring cost: 16,916.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual recurring cost: 58,146.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual recurring cost: 153,125.
Cost element: Passport operating personnel; Initial cost: [Empty];
Annual recurring cost: 443,805.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Recurring training; Initial cost: [Empty]; Annual
recurring cost: 53,875.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
recurring cost: 105,210.
Cost element: Total; Initial cost: $4,485,545; Annual
recurring cost: $1,571,700.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 35: Estimated Costs for Issuing Passports with Biometrics Using
Facial Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$367,135; Annual recurring cost: [Empty].
Cost element: Development; installation; training; Initial cost:
2,665,282; Annual recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 188,991; Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 1,225,000; Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual recurring cost: $437,059.
Cost element: Operations and support; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual
recurring cost: 73,427.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual recurring cost: 12,428.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual recurring cost: 58,146.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual recurring cost: 153,125.
Cost element: Passport operating personnel; Initial cost: [Empty];
Annual recurring cost: 443,805.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Recurring training; Initial cost: [Empty]; Annual
recurring cost: 53,875.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
recurring cost: 105,210.
Cost element: Total; Initial cost: $4,446,407; Annual
recurring cost: $1,554,716.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 36: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint and Iris Recognition:
Initial cost: Cost element Investment: [Empty]; Annual
recurring cost: Cost element Investment: [Empty].
Cost element: Investment: Systems engineering and program management;
Initial cost: $552,750; Annual recurring cost: [Empty].
Cost element: Investment: Development; installation; training; Initial
cost: 4,026,605; Annual recurring cost: [Empty].
Cost element: Investment: Initial biometric hardware; Initial cost:
277,560; Annual recurring cost: [Empty].
Cost element: Investment: Initial biometric software; Initial cost:
[Empty]; Annual recurring cost: [Empty].
Cost element: Investment: Network infrastructure; Initial cost:
1,837,500; Annual recurring cost: [Empty].
Cost element: Investment: Consular facility renovation; Initial cost:
[Empty]; Annual recurring cost: [Empty].
Cost element: Investment: Hardware infrastructure upgrade; Initial
cost: [Empty]; Annual recurring cost: $670,993.
Cost element: Investment: Operations and support; Initial cost:
[Empty]; Annual recurring cost: [Empty].
Cost element: Investment: Program management; Initial cost: [Empty];
Annual recurring cost: 110,550.
Cost element: Investment: Biometric hardware maintenance; Initial cost:
[Empty]; Annual recurring cost: 24,476.
Cost element: Investment: Software and system maintenance; Initial
cost: [Empty]; Annual recurring cost: 67,777.
Cost element: Investment: Network infrastructure maintenance; Initial
cost: [Empty]; Annual recurring cost: 229,688.
Cost element: Investment: Passport operating personnel; Initial cost:
[Empty]; Annual recurring cost: 443,805.
Cost element: Investment: Port of entry operating personnel; Initial
cost: [Empty]; Annual recurring cost: 94,679.
Cost element: Investment: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Investment: Recurring training; Initial cost: [Empty];
Annual recurring cost: 107,750.
Cost element: Investment: Consular facility maintenance; Initial cost:
[Empty]; Annual recurring cost: [Empty].
Cost element: Investment: Annual supplies (cards); Initial cost:
[Empty]; Annual recurring cost: 105,210.
Cost element: Investment: Total; Initial cost: $6,694,415; Annual
recurring cost: $1,977,890.
Note: In thousands of fiscal year 2002 constant dollars.
Source: GAO analysis.
[End of table]
Table 37: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint and Facial Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$549,518; Annual recurring cost: [Empty].
Cost element: Development; installation; training; Initial cost:
4,026,605; Annual recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 241,654; Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 1,837,500; Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual recurring cost: $659,144.
Cost element: Operations and support; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual
recurring cost: 109,904.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual recurring cost: 19,988.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual recurring cost: 67,777.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual recurring cost: 229,688.
Cost element: Passport operating personnel; Initial cost: [Empty];
Annual recurring cost: 443,805.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Recurring training; Initial cost: [Empty]; Annual
recurring cost: 107,750.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
recurring cost: 105,210.
Cost element: Total; Initial cost: $6,655,277; Annual
recurring cost: $1,960,906.
Note: In thousands of fiscal year 2002 constant dollars. Numbers do not
sum because of rounding.
Source: GAO analysis.
[End of table]
Table 38: Estimated Costs for Issuing Passports with Biometrics Using
Fingerprint, Iris, and Facial Recognition:
Cost element: Investment; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Systems engineering and program management; Initial cost:
$723,821; Annual recurring cost: [Empty].
Cost element: Development; installation; training; Initial cost:
5,302,929; Annual recurring cost: [Empty].
Cost element: Initial biometric hardware; Initial cost: 289,529; Annual
recurring cost: [Empty].
Cost element: Initial biometric software; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Network infrastructure; Initial cost: 2,450,000; Annual
recurring cost: [Empty].
Cost element: Consular facility renovation; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Hardware infrastructure upgrade; Initial cost: [Empty];
Annual recurring cost: $879,648.
Cost element: Operations and support; Initial cost: [Empty]; Annual
recurring cost: [Empty].
Cost element: Program management; Initial cost: [Empty]; Annual
recurring cost: 144,764.
Cost element: Biometric hardware maintenance; Initial cost: [Empty];
Annual recurring cost: 26,950.
Cost element: Software and system maintenance; Initial cost: [Empty];
Annual recurring cost: 77,407.
Cost element: Network infrastructure maintenance; Initial cost:
[Empty]; Annual recurring cost: 306,250.
Cost element: Passport operating personnel; Initial cost: [Empty];
Annual recurring cost: 443,807.
Cost element: Port of entry operating personnel; Initial cost: [Empty];
Annual recurring cost: 94,679.
Cost element: Communications; Initial cost: [Empty]; Annual
recurring cost: 122,962.
Cost element: Recurring training; Initial cost: [Empty]; Annual
recurring cost: 161,625.
Cost element: Consular facility maintenance; Initial cost: [Empty];
Annual recurring cost: [Empty].
Cost element: Annual supplies (cards); Initial cost: [Empty]; Annual
recurring cost: 105,210.
Cost element: Total; Initial cost: $8,766,279; Annual
recurring cost: $2,363,302.
Note: In thousands of fiscal year 2002 constant dollars.
Source: GAO analysis.
[End of table]
[End of section]
Appendix VII: Comments from the U.S. Department of State:
United States Department of State:
Washington, D.C., 20520:
Dear Ms. Westin:
We appreciate the opportunity to review your draft report, “TECHNOLOGY
ASSESSMENT: Using Biometrics for Border Security,” GAO-02-952, GAO Job
Code 460525.
The enclosed Department of State comments are provided for
incorporation with this letter as an appendix to the final report, as
well as technical comments.
If you have any questions concerning this response, please contact
Columbia Barrosse, Office of Executive Director, Bureau of Consular
Affairs, at (202) 663-2504.
Christopher B. Burnham
Assistant Secretary and Chief Financial Officer:
Signed by Christopher B. Burnham
Enclosure:
As stated.
cc: GAO/IAT - Mr. Richard Hung State/OIG - Mr. Berman State/CA - Mr.
Frank Moss:
Ms. Susan S. Westin, Managing Director, International Affairs and
Trade, U.S. General Accounting Office.
Department of State Comments on GAO Draft Report:
TECHNOLOGY ASSESSMENT: Using Biometrics for Border Security (GAO-02-
952, Job Code 460525):
The Department appreciates the thorough and balanced approach taken by
GAO in its assessment of the use of biometrics for Border Security. We
find the overall thrust of the report to be in keeping with our own
considerations of how a biometrics component could be used in the
admission of individuals into the United States and how it could be
integrated into the existing process for visa and passport
applications. We are particularly gratified to see the GAO report
stress the need for high-level policy decisions to be made prior to
execution of a biometrics program. Foremost among these are: a decision
regarding the specific uses to be made of the biometrics data
(identification of individuals, exclusion of dangerous or otherwise
inadmissible individuals, etc.); and a cost benefit analysis that
weighs effectiveness and security benefits of the program versus
resource costs and probable implications or consequences of
implementation (including economic, civil liberty and foreign policy).
These policy decisions must be made before a selection of the options
laid out in this study can be made, a final estimated cost reached, and
execution and successful implementation of the program by all involved
agencies take place.
It should be noted that the State Department has some additional
options for implementation of a biometrics program that will be laid
out in our own study. They do not necessarily generally conflict with
the options set forth in the GAO report, though final estimated costs
might differ.
[End of section]
Appendix VIII: Comments from the U.S. Department of Justice:
U.S. Department of Justice:
Washington, D.C. 20530:
OCT 3, 2002:
Ms. Nancy Kingsbury, Managing Director, Applied Research and Methods
Issues U.S. General Accounting Office:
441 G Street, NW Washington, D.C. 20548:
Dear Ms. Kingsbury:
On August 30, 2002, the General Accounting Office (GAO) provided the
Department of Justice (DOJ) copies of its draft report entitled
“TECHNOLOGY ASSESSMENT: Using Biometrics for Border Security.” The DOJ
is concerned that the report fails to adequately address some of the
serious difficulties associated with such programs. The DOJ believes
the report does not 1) properly consider an overall border security
strategy; 2) adequately recognize the draft National Institute of
Standards and Technology (NIST) certified standards recommendations for
biometrics, tamper-resistant travel documents, or interoperability; or
3) fully explore the advantages of some biometrics over others. In
addition, the report contains a number of serious analytical weaknesses
related to a misunderstanding of the false match rate metric and to
performance data and levels. A proper understanding and use of
biometrics is a critical component of increasing both security and
efficiency at our border crossings. The GAO can play an important role
in educating the government and the public as to the possibilities and
limitations of such systems. We urge the GAO to reconsider major
portions of this report, which currently rely on questionable
information and interpretation, and to very carefully critique the
report to ensure the accuracy of all the information presented.
An Overall Border Security Strategy.
Earlier this year the DOJ prepared an overall border security strategy
to significantly improve border security and meet legislative intent
and it has shared its strategy with the Office of Homeland Security,
the Department of State and others. The U.S. Government is continuing
to consider this strategy. The eventual direction selected will require
a major investment in border systems and will need to be a foundation
for future improvements. Since the existing border security processes,
systems, and databases are fragmented and can be readily compromised,
any substantial investment in the current state could be a throwaway
and thus, it would not yield improvements commensurate with the huge
investment required.
In addition, if the requirement to provide a biometric-based enrollment
is limited to visa applicants (about 3 percent of the visits to the
United States), the impact on preventing potential terrorists entry
into the country would be marginalized. Unless enrolling visa
applicants is just the first step in a larger process of using
biometric-based enrollments, making a huge investment that improves
borders security controls for only one of many border entry paths (e.g.
visa holders, immigrants, Mexicans with border crossing cards; certain
residents of visa-waiver countries; entrants through the Canadian
border; U.S. citizens) should be challenged. Without strengthening the
controls of the other paths, it would be easy for terrorists to enter
via one of those paths.
NIST Standards.
The NIST study, required in the PATRIOT Act, is reaching its final
recommendations based on empirical data and scientific methods. The
Attorney General and the Secretary of State will rely on the NIST
report with regard to the adoption of a technical standard for the
design and development of a system to establish and verify unique
identities. However, the GAO draft report appears to present
information about biometrics inconsistent with the direction of NIST.
The GAO team should examine the NIST direction to ensure that its
report accurately reflects how various biometrics would fit in the
overall context of the intended application. The intended application
must: 1) employ a biometric that is able to establish and verify a
unique identity in a hundreds of millions population, 2) be used to run
a check against criminal records, and 3) operate with a very low risk
of either false positive reads or the verification process being
ineffective in different border, lighting, and weather conditions. To
the extent possible, empirical evidence should support these
requirements thereby mitigating the risk of making such a major
investment only to discover that the biometric cannot meet the core
requirements.
Advantages of Selected Biometrics:
in reviewing the use of biometrics, there are certain advantages to the
use of fingerprints. Section 221 (b) of the Immigration and Nationality
Act (INA) requires each alien applying for a visa to be registered by
the Department of State unless waived at the discretion of the
Secretary of State. Section 262 of the INA further clarifies this
registration process to include the collection of fingerprints by
stating that every alien in the United States not registered and
fingerprinted under section 221 (b) who remains in the United States 30
days or longer must apply for registration and be fingerprinted before
the expiration of the 30 day period. We believe this constitutes a
statutory mandate to register and collect fingerprints for all aliens
applying for visas. When considering the variety of biometrics
technologies amenable to support border control processes, the GAO
should recognize this existing statutory requirement for the pre-
arrival collection of fingerprint biometrics for all aliens with visas
seeking to travel to the United States.
Fingerprints also are the most effective biometric for computer
identification on a large scale. In addition, unlike other biometric
data, fingerprints are left at crime scenes. The ability to run latent
(unidentified) fingerprints collected at the scene of criminal or
terrorist incidents against the database of aliens present in the
United States has immense law enforcement value. The National Security
Entry-Exit Registration System (NSEERS) is already making use of this
capacity in its fingerprintchecks at the border. Further, the report
does not consider that the use of fingerprints would allow a search of
the incoming visa applicants against the 43 million ten prints sets in
Integrated Automated Fingerprint Identification System (IAFIS) to check
for prior criminal history. Extrapolating data from the GAO study,
approximately 900 persons with prior criminal activity would be
screened
out per year. While this number is statistically small compared to the
total applicant pool, it is significant when one considers the type of
person we are trying to prevent from entering the United States. In
fact,
the ability of fingerprints to provide quick, reliable matches at the
border has been well demonstrated by the IDENT/IAFIS integration
project. Running prints from aliens in secondary inspection and
apprehended by the Border Patrol against this database led to 2,511
arrests between January 1, 2002 and September 18, 2002. This project
has been yielding approximately 70 “hits” per week.
Analytical Issues.
While the report provides an overview of biometric products that are
typically used for data and facility access control for relatively
small systems, it does not provide sufficient analysis of large systems
such as those that will be required for effective Border Control. To
prevent duplicate identification documents, the subjects enrolled in
the Border Control system will have to be searched against each other.
This capability will require that the system be of the same order of
magnitude as that of IAFIS. It therefore follows that the biometrics
used for such a system must have performance numbers that are of the
same order of magnitude as IAFIS. We question the reported performance
of the facial recognition based Mexican Federal Elections Institute
system with respect to false alarms since all available biometric data
points to the impossibility of conducting effective facial recognition
on that scale. It is suspected that the system does not compare all new
search facial records against the database of 60,000,0001t probably
performs verification only and the database is likely to contain many
duplicate records.
Although the report addresses performance issues, it fails to tie the
performance requirements with realistic operational impact analysis due
in large part to a misuse and misunderstanding the false match rate
(FMR) metric. The FMRs and the False Non Matching Rates (FNMR) are
dependent on the number of fingerprints captured, the type of image
captured (rolled or plain), and the skill and experience of the
individual capturing the fingerprint. To assess the impact of the FMR
in a given operational setting it would be necessary to consider the
size of each operational database and the workload. This relationship
is not clearly explained in this report.
Failure to Properly Define and Use the FMR Metric. The report’s entire
analysis flows as if the size of the required biometric database is
irrelevant. It is critical to differentiate between matching errors
(FMR and FNMR) and decision errors (false accept rate and false reject
rate.) The former are based on one-to-one comparisons and should be
independent of the database size, while the later are based on
transactions and depend on database size. The FMR is the probability of
a false match when one search biometric is compared against one file
biometric. It is a metric that is independent of the size of the
database. It corresponds to the FNMR which is the probability of a non
match when a search biometric is compared against its mated file
biometric. An equal rate metric is a popular method for quickly
comparing
relative performance metrics for different biometric systems. However,
it
only makes sense if the two metrics are applied consistently. The
improper
use of the FMR is in part due to the lack of consistent standards
within
the industry in reporting their performance levels.
The FMR usually must be resolved by manual means. This has a serious
impact on the operational staffing and facility requirements. To assess
the impact of the FMR in a given operational setting it is necessary to
consider the size of the operational database and the workload. The
total number of false matches during operations that must be resolved
by the operators during a typical day will be the FMR multiplied by the
size of the file database multiplied by the daily workload. This
relationship is not clearly explained in the report, worse the FMR is
sometimes cited as a system metric that does not rationalize the number
by the database size. The significance of this error is exponential.
Systems Performance Data and Levels. The report also provides incorrect
performance data for the IAFIS and provides no performance data for
other large biometric systems. These two errors lead the report to
incorrect conclusions with respect to the viability of various
biometric devices. IAFIS was tested rigorously during development and
acceptance testing. The system also has been periodically retested to
ensure that the performance levels are maintained and improved. In
addition, daily statistics are collected for the FMR and failure to
enroll rate. The LUIS performance levels indicate that only a multiple
finger based system is capable of supporting the Border Control
identification (enrollment) functionality.
The report does not address the fact that some biometrics are by nature
multiple biometric. Most subjects have ten fingers, two eyes, and two
hands. Nor does the report address the variations in fingerprint
technology and the impact of these technologies on system performance.
The more data that is captured the better the potential for achieving
high performance levels. For IAFIS the primary biometric is ten rolled
fingers. In effect it is like fusing ten different biometrics. This is
what allows IAFIS to achieve its outstanding performance levels. Tests
are currently being conducted to determine the impact on IAFIS of using
flat fingerprint data and possibly fewer fingers. All of these factors
will play an important role in the design of the Border Control
systems.
There also is the issue of the amount of data that is captured.
Performance levels can be improved by the simple process of storing and
matching against multiple file data. That is, instead of keeping one
facial image or one set of fingerprints on file, keep multiple copies
on file. By having more copies on file the FNMR can be increased with
corresponding trade-offs on the FMR. This clearly has implications:
on the size of the central matching system. Further, to evaluate the
efficacy of the biometrics it is recommended that target performance
levels be specified for all of pertinent metrics for identification and
verification. In all likelihood different combinations of biometrics
will be used for the two functions. Establishing goals also will
provide the necessary signals for industry to improve their products or
to make more effective use of the biometric information that may be
available.
In conclusion, we note that the GAO draft report infers that any move
toward biometrics be made slowly and cautiously. While we agree that it
is important to proceed judiciously, we must also instill the sense of
congressional urgency, both implied and expressed, in the PATRIOT Act
and the Enhanced Border Security Act. The DOJ believes that the current
border security processes are not effectively preventing terrorists and
other criminals from entry into the United States. Most of the
processes and systems were designed for a different set of problems
decades ago. Adopting biometrics-based unique identification method is
a key element in changing what exists today to meet these new
challenges to our border security.
As noted by the above comments, we believe that the report falls short
by not adequately addressing these significant issues. The DOJ urges
you to consider its concerns in preparing the final GAO report on this
important subject. If you have any questions regarding the Department’s
comments, you may contact Vickie L. Sloan, Director, Audit Liaison
Office, on (202) 514-0469.
Sincerely,
Robert F. Diegelman
Acting Assistant Attorney General for Administration
Signed by Robert F. Diegelman
[End of section]
Appendix IX: GAO Contacts and Acknowledgments:
GAO Contacts:
Nancy R. Kingsbury (202) 512-2700; kingsburyn@gao.gov.
Naba Barkakati (202) 512-4499; barkakatin@gao.gov.
Acknowledgments:
Additional staff who made major contributions to this report were
Venkareddy Chennareddy, Barbara Hills, Ashfaq Huda, Richard Hung,
Elizabeth Johnston, John C. Martin, Eric Ow, Madhav Panwar, Penny
Pickett, Tracy Pierson, David Plocher, and Karen Richey.
We gratefully acknowledge the time and assistance of the following
people who reviewed a draft of this report: Dennis Carlton,
International Biometric Group; Paul Collier, The Biometric Foundation;
Larry Hornak, West Virginia University; Anil Jain, Michigan State
University; Rick Lazarick, Transportation Security Administration;
Peter Neumann, SRI International; Lee Tien, Electronic Frontier
Foundation; Jim Wayman, San Jose State University; Charles Wilson,
National Institute of Standards and Technology; and John Woodward, RAND
Corporation.
We also appreciate the contributions provided by the following
organizations during our meetings on biometrics and border security:
Airports Council International; American Civil Liberties Union;
American Immigration Lawyers Association; Biometric Technology Inc.;
Border Trade Alliance; Cameron County Bridge Systems; Cogent Systems
Inc.; Electronic Data Systems Corp.; Electronic Privacy Information
Center; EyeTicket Corp.; Graphco Technologies Inc.; Identix Inc.;
International Biometric Industry Association; International
Organization of Masters, Mates, and Pilots; Iridian Technologies Inc.;
Mitretek Systems Inc.; National Council La Raza; Recognition Systems
Inc.; Sagem Morpho Inc.; and Viisage Technology Inc.
[End of section]
Bibliography:
American Association of Motor Vehicle Administrators. AAMVA National
Standard for the Driver License/Identification Card. AAMVA DL/ID-2000.
June 30, 2000. http://www.aamva.org/standards/:
American National Standards Institute. Biometric Information and
Security. ANSI X9.84-2001, 2001. http://www.ansi.org/default.asp:
BioAPI Consortium. BioAPI Specification Version 1.1, March 16, 2001.
http://www.bioapi.org/:
Blackburn, Duane M., Mike Bone, and P. Jonathon Phillips. Facial
Recognition Vendor Test 2000: Evaluation Report. Sponsored by DOD
Counterdrug Technology Development Program Office, Defense Advanced
Research Projects Agency, and National Institute of Justice, February
16, 2001. http://www.frvt.org/FRVT2000/documents.htm:
International Civil Aviation Organization. Machine Readable Travel
Documents Technical Report: Selection of a Globally Interoperable
Biometric for Machine-Assisted Identity Confirmation with MRTDS, 1st
ed., 2001. http://www.icao.int/index.cfm:
Jain, Anil, Ruud Bolle, and Sharath Pankanti, eds. Biometrics: Personal
Identification in Networked Society. Boston: Kluwer Academic
Publishers, 1999.
Maio, Dario, and others. “FVC 2000: Fingerprint Verification
Competition,” technical report, University of Bologna, Department of
Electronics, Computer Science, and Systems, September 2000.
Mansfield, Tony, and others. Biometric Product Testing Final Report.
Middlesex, Eng.: National Physical Laboratory, March 19, 2001.
Nanavati, Samir, Michael Thieme, and Raj Nanavati. Biometrics: Identity
Verification in a Networked World. New York: John Wiley & Sons, 2002.
National Institute of Standards and Technology. Common Biometric
Exchange File Format (CBEFF), NISTIR 6529. Gaithersburg, Md.: January
3, 2001.
Phillips, P. Jonathon, and others. “An Introduction to Evaluating
Biometric Systems.” IEEE Computer 33:2 (February 2000): 56-63.
U.S. General Accounting Office. Computer Security: Improvements Needed
to Reduce Risk to Critical Federal Operations and Assets. GAO-02-231T.
Washington, D.C.: November 9, 2001.
U.S. General Accounting Office. Electronic Benefits Transfer: Use of
Biometrics to Deter Fraud in the Nationwide EBT Program. GAO/OSI-95-20.
Washington, D.C.: September 29, 1995.
U.S. General Accounting Office. Federal Funding for Selected
Surveillance Technologies. GAO-02-438R. Washington, D.C.: March 14,
2002.
U.S. General Accounting. Homeland Security: Challenges and Strategies
in Addressing Short-and Long-Term National Needs. GAO-02-160T.
Washington, D.C.: November 7, 2001.
U.S. General Accounting Office. Identity Fraud: Prevalence and Links to
Alien Illegal Activities. GAO-02-830T. Washington, D.C.: June 25, 2002.
U.S. General Accounting Office. Information Security: Advances and
Remaining Challenges to Adoption of Public Key Infrastructure
Technology. GAO-01-277. Washington, D.C.: February 26, 2001.
U.S. General Accounting Office. Information Security: Opportunities for
Improved OMB Oversight of Agency Practices. GAO/AIMD-96-110.
Washington, D.C.: September 24, 1996.
U.S. General Accounting Office. National Preparedness: Technologies to
Secure Federal Buildings. GAO-02-687T. Washington, D.C.: April 25,
2002.
U.S. General Accounting Office. Social Security Numbers: Government
Benefits from SSN Use but Could Provide Better Safeguards. GAO-02-352.
Washington, D.C.: May 31, 2002.
FOOTNOTES
[1] The term biometrics is commonly used to mean biometric technologies
and the characteristics themselves.
[2] See 8 U.S.C. §1365a and §1722. These laws’ requirements reflect
provisions of the Illegal Immigration Reform and Immigrant
Responsibility Act of 1996 (Public Law No. 104-208, div. C, §110, Sept.
30, 1996), the INS Data Management Improvement Act of 2000 (Public Law
No. 106-215, June 15, 2000), the Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (USA PATRIOT Act) (Public Law No. 107-56, §403(c)
and §414, Oct. 26, 2001), and the Enhanced Border Security and Visa
Entry Reform Act of 2002 (Public Law No. 107-173, May 14, 2002).
[3] The information in Chimera is to be accessible to federal law
enforcement and intelligence officers who, under federal regulation,
are responsible for investigating or identifying aliens (Enhanced
Border Security and Visa Entry Reform Act, §202(a)(5) (8 U.S.C.
§1722)), to federal law enforcement officials to identify and detain
individuals who pose a threat to national security (USA PATRIOT Act,
§414(b) (8 U.S.C. §1365a note)), and, at the discretion of the attorney
general, to federal, state, and local law enforcement officials for law
enforcement purposes (INS Data Management Improvement Act, §2 (8 U.S.C.
§1365a(f)(2)), amending the Illegal Immigration Reform and Immigrant
Responsibility Act of 1996, §110).
[4] Enhanced Border Security and Visa Entry Reform Act, §201(c)(3) and
§201(c)(4) (8 U.S.C. §1356a note). The USA PATRIOT Act §403(a)
(amending 8 U.S.C. §1105) has virtually identical requirements with
regard to the State Department’s receiving National Crime Information
Center data.
[5] USA PATRIOT Act, §403(c)(2) and §403(c)(4).
[6] Enhanced Border Security and Visa Entry Reform Act, §203 (8 U.S.C.
§1723).
[7] The Immigration and Nationality Act of 1952, as amended (8 U.S.C.
§1101 et seq.), and titles 8 and 22 of the Code of Federal Regulations
are the primary sources of U.S. immigration law.
[8] According to the Department of Justice, passports are not required
of U.S. citizens returning from any point within the Western Hemisphere
except Cuba.
[9] The visa waiver program permits nationals from designated countries
to apply for admission to the United States for 90 days or less as
nonimmigrant visitors for business or pleasure without first obtaining
a U.S. nonimmigrant visa. The following countries participate: Andorra,
Australia, Austria, Belgium, Brunei, Denmark, Finland, France, Germany,
Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, the
Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore,
Slovenia, Spain, Sweden, Switzerland, the United Kingdom, and Uruguay
(8 U.S.C. §1187, 8 C.F.R. §217.2).
[10] Passports may be denied for reasons set forth in 22 C.F.R. §51.70.
[11] The process for issuing immigrant visas, although similar to that
for nonimmigrant visas, includes other procedures and checks such as
the submission of an immigration petition to INS. About 628,000
immigrant visas are issued each year.
[12] The State Department is adding 8 million criminal history alien
records from the Federal Bureau of Investigation (FBI). These records
include foreign-born individuals and individuals with unknown place of
birth.
[13] Visas may be denied for reasons listed in the Immigration and
Nationality Act, §212 (8 U.S.C. §1182).
[14] In January 2003, INS plans to publish regulations in response to
the Enhanced Border Security and Visa Entry Reform Act to mandate
electronic manifest transmission from carriers at air and sea ports of
entry for all arriving and departing passengers.
[15] A Mexican border crossing card permits the holder to enter for
business or pleasure and stay in the United States for 72 hours or
less, going no farther than 25 miles from the border.
[16] P. Jonathon Phillips and others, “An Introduction to Evaluating
Biometric Systems,” IEEE Computer 33:2 (2000): 56-63.
[17] FRVT 2000 was sponsored by the DOD Counterdrug Technology
Development Program Office, Defense Advanced Research Projects Agency,
and National Institute of Justice. The test goals were to know the
strengths and weaknesses of each individual system, understand the
current state of the art for facial recognition, and educate the
community and general public on how to present and analyze results.
[18] NPL in the United Kingdom is analogous to the National Institute
of Standards and Technology (NIST) in the United States.
[19] Lisa Thalheim, Jan Krissler, and Peter-Michael Ziegler, “Body
Check: Biometric Access Protection Devices and Their Programs Put to
the Test,” trans. Robert Smith, c’t Magazine 11 (2002): 114.
[20] JPEG members are experts nominated by national standards bodies
and major companies to produce standards for continuous tone image
coding. “Joint” refers to the group’s status as a committee working on
standards for both the International Organization for Standardization
and International Telecommunication Union-Telecommunication.
[21] According to a February 2001 study conducted for the FBI, WSQ and
JPEG 2000 formats are similar enough that questions may emerge about
migration of the FBI standard to the JPEG 2000 standard. Such questions
would include weighing some advantages against other disadvantages of
changing an accepted standard that is already widely used.
[22] From 1997 to 2001, INCITS operated under the name Accredited
Standards Committee NCITS, National Committee for Information
Technology Standards. From 1961 to 1996, NCITS operated under the name
Accredited Standards Committee X3, Information Technology.
[23] Government information security reform provisions of the FY 2001
Defense Authorization Act--for example, 44 U.S.C. §3534(a); Clinger-
Cohen Act of 1996--for example, 40 U.S.C. §11313(6); Paperwork
Reduction Act of 1995--for example, 44 U.S.C. §3506(g); and Computer
Security Act of 1987--for example, 40 U.S.C. §11332.
[24] U.S. General Accounting Office, Information Security:
Opportunities for Improved OMB Oversight of Agency Practices, GAO/
AIMD-96-110 (Washington, D.C.: September 24, 1996).
[25] U.S. General Accounting Office, Computer Security: Improvements
Needed to Reduce Risk to Critical Federal Operations and Assets,
GAO-02-231T (Washington, D.C.: November 9, 2001).
[26] U.S. Bureau of the Census, Evaluating Components of International
Migration: Estimates of the Foreign-Born Population by Migrant Status
in 2000, Population Division Working Paper 58 (Washington, D.C.:
December 2001).
[27] U.S. Immigration and Naturalization Service, Statistical Yearbook
of the Immigration and Naturalization Service, 2000 (Washington D.C.:
U.S. Government Printing Office, September 2002), 271-74.
[28] The Privacy Act of 1974 (5 U.S.C. §552a) and the Computer Security
Act of 1987, Public Law 100-235 (15 U.S.C. §278g-3 and 4, 40 U.S.C.
§11331, and 40 U.S.C. §11332).
[29] 5 U.S.C. §552a(a)(4).
[30] 5 U.S.C. §552a(a)(2).
[31] 5 U.S.C. §552a(b), (j), (k).
[32] U.S. General Accounting Office, Social Security Numbers:
Government Benefits from SSN Use but Could Provide Better Safeguards,
GAO-02-352 (Washington, D.C.: May 31, 2002).
[33] U.S. General Accounting Office, Identity Fraud: Prevalence and
Links to Alien Illegal Activities, GAO-02-830T (Washington, D.C.: June
25, 2002).
[34] Maquiladora refers to a Mexican company that imports, on a duty-
free basis, machinery, equipment, and materials for the manufacture of
finished goods for subsequent export.
[35] For more information on cost-benefit analysis, see Office of
Management and Budget, Guidelines and Discount Rates for Benefit-Cost
Analysis of Federal Programs, Circular A-94 (Washington, D.C.: October
29, 1992; rev. January 22, 2002).
[36] U.S. General Accounting Office, National Preparedness:
Technologies to Secure Federal Buildings, GAO-02-687T (Washington,
D.C.: April 25, 2002).
[37] U.S. General Accounting Office, Homeland Security: Challenges and
Strategies in Addressing Short-and Long-Term National Needs, GAO-02-
160T (Washington, D.C.: November 7, 2001).
[38] We have a standing contract with NAS under which NAS provides
assistance in convening groups of experts to provide information and
expertise to our engagements. NAS uses its scientific networks to
identify participants and uses its facilities and processes to arrange
the meetings. Recording and using the information in a report is our
responsibility.
[39] U.S. v. Byron C. Mitchell (Criminal Action No. 96-407-1, U.S.
District Court for the Eastern District of Pennsylvania 1999).
[40] U.S. v. Carlos Ivan Llera Plaza, Wilfredo Martinez Acosta, and
Victor Rodriguez (Criminal Action No. 98-362-10, 11,12, U.S. District
Court for the Eastern District of Pennsylvania 2002).
[41] Ridges are the upper skin layer segments of the finger; valleys
are the lower segments.
[42] To allow for scarred or injured fingers, drivers typically
enrolled two digits.
[43] FNMR analysis from system performance testing by Jim L. Wayman,
U.S. National Biometric Test Center, College of Engineering, San Jose
State University, San Jose, California.
[44] Other facial recognition technologies based on thermal patterns
below the skin are not yet commercially viable.
[45] Fifteen different agencies are sponsors of FRVT 2002, including
the Defense Advanced Research Projects Agency, the National Institute
of Justice, and the Transportation Security Administration. NIST is
selecting images and computing test scores.
[46] The annual Diversity Visa Lottery Program makes 50,000 immigrant
visas available through a lottery to people who wish to come to the
United States from countries with low immigration rates. Winners are
chosen randomly from all qualified entries by the State Department’s
National Visa Center.
[47] The Schengen agreement, begun in 1985, is designed to facilitate
travel within the European Union. Passengers flying between member
countries now leave from domestic rather than international airport
terminals, eliminating the need to present travel documents when
entering and exiting. The Schengen agreement went into effect in
Iceland on March 25, 2001.
GAO’s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO’s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO’s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as “Today’s Reports,” on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select “Subscribe to daily E-mail alert for newly
released products” under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: